From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
"David P. Quigley" <dpquigl@tycho.nsa.gov>,
jmorris@namei.org, gregkh@suse.de, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
SE Linux <selinux@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH] Security/sysfs: v2 - Enable security xattrs to be set on sysfs files, directories, and symlinks.
Date: Wed, 19 Aug 2009 10:47:30 -0700 [thread overview]
Message-ID: <4A8C3AB2.6080503@schaufler-ca.com> (raw)
In-Reply-To: <1250683089.3629.268.camel@moss-pluto.epoch.ncsc.mil>
Stephen Smalley wrote:
> ...
>> So how often is the SELinux label going to get explicitly set in /sys ?
>> I'm grappling with the value of going hog-wild in optimizing this. If
>> it is something that's quite rare I can see the concern with expanding
>> the d_entry. If it is common, the storage associated with storing the
>> xattr could be an issue. If it is uncommon but not rare there's another
>> story again.
>>
>> I'm looking at addressing the issues. Thank you.
>>
>
> I'd expect most sysfs nodes to be left in the default label, although we
> don't really know as this would be the first time that people have the
> option of finer-grained control to sysfs.
This would be consistent with the Unix MLS experience. Most system
files, including things like sysfs, either stick with their original
labels. On the occasion where they get changed the reason is both
important and focused. I had an update almost ready, but I need some
changes to accommodate the assumption that setting an attribute
is rare.
next prev parent reply other threads:[~2009-08-19 17:47 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-15 13:48 [PATCH] Security/sysfs: Enable security xattrs to be set on sysfs files, directories, and symlinks David P. Quigley
2009-07-15 14:28 ` David P. Quigley
2009-07-15 14:31 ` David P. Quigley
2009-07-21 16:29 ` David P. Quigley
2009-07-21 16:49 ` Greg KH
2009-07-21 16:34 ` David P. Quigley
2009-07-21 17:01 ` David P. Quigley
2009-07-24 8:13 ` James Morris
2009-07-24 14:34 ` David P. Quigley
2009-07-24 14:54 ` Casey Schaufler
2009-08-14 4:59 ` Casey Schaufler
2009-08-14 12:20 ` Stephen Smalley
2009-08-14 12:40 ` Stephen Smalley
2009-08-15 1:33 ` Casey Schaufler
2009-08-17 12:01 ` Stephen Smalley
2009-08-15 1:19 ` Casey Schaufler
2009-08-17 11:53 ` Stephen Smalley
2009-08-14 22:02 ` Eric W. Biederman
2009-08-15 1:42 ` Casey Schaufler
2009-08-15 2:15 ` Eric W. Biederman
2009-08-15 4:56 ` Casey Schaufler
2009-08-15 6:01 ` Eric W. Biederman
2009-08-16 17:25 ` Casey Schaufler
2009-08-18 3:55 ` [PATCH] Security/sysfs: v2 - " Casey Schaufler
2009-08-18 12:14 ` Stephen Smalley
2009-08-18 14:12 ` Casey Schaufler
2009-08-18 14:23 ` Stephen Smalley
2009-08-19 4:37 ` Casey Schaufler
2009-08-19 11:58 ` Stephen Smalley
2009-08-19 17:47 ` Casey Schaufler [this message]
2009-08-19 23:59 ` Casey Schaufler
2009-08-20 2:41 ` Eric W. Biederman
2009-08-20 11:53 ` Stephen Smalley
2009-08-20 13:18 ` [PATCH] Security/sysfs: " David P. Quigley
2009-08-21 3:38 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A8C3AB2.6080503@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox