On Mon, 29 Oct 2001, Crispin Cowan wrote: > That strikes me as a problematic example, because it will end up either > having dependencies on some particular file system that supports > extended attributes, or being basically useless without the extended > attributes. > > Casey: how do you propose to deal with the extended attributes problem? > > Rest of the list: do folks think that either a FS-specific module or a > neutered :-) module would be a convincing argument? You can implement support for additional file security attributes like ACLs without using the extended attributes kernel patch or a special filesystem type like XFS. The LSM-based SELinux security module maintains mapping files in each filesystem that map inodes to file security contexts. This works just fine with existing filesystem types, but has disadvantages in terms of performance and consistency that would be better addressed through real filesystem support for extended attributes. Anyway, SGI may be able to provide a POSIX ACLs security module that doesn't depend on a kernel patch. But I don't know what Casey had in mind - I suspect that they do currently depend on the extended attributes patch or on XFS. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 05:53:31 PST