Re: MAC before DAC vs DAC before MAC

• Previous message: Shafik Yaghmour: "Re: security policy and xml"
• In reply to: Chris Wright: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Reply: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright wrote:

> The inode is used for both.

Assume a file with both a POSIX ACL and a MAC label.
The MAC label is small enough to fit in a XFS inode,
the ACL is not. The file hasn't been accessed in so
long its not only not cached, it's been archived
by the HMS. The inode remains on disk, but the extended
information, in this case the ACL, is off line.

We anticipate that the extended attribute mechanism
in 2.5 will look very much like the Irix XFS implementation.
Some attributes will be inode resident, others may not
be, and the difference will be size, not importance, based.


-- 

Casey Schaufler				Manager, Trust Technology, SGI
caseyat_private				voice: 650.933.1634
casey_pat_private			Pager: 888.220.0607

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Previous message: Shafik Yaghmour: "Re: security policy and xml"
• In reply to: Chris Wright: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Reply: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 27 2001 - 14:53:32 PDT