Re: Authoritative hooks updated to 2.4.13

From: Stephen Smalley (sdsat_private)
Date: Tue Oct 30 2001 - 05:52:08 PST

  • Next message: Greg KH: "removal of the version field from struct security_operations"

    On Mon, 29 Oct 2001, Crispin Cowan wrote:
    
    > That strikes me as a problematic example, because it will end up either
    > having dependencies on some particular file system that supports
    > extended attributes, or being basically useless without the extended
    > attributes.
    >
    > Casey: how do you propose to deal with the extended attributes problem?
    >
    > Rest of the list: do folks think that either a FS-specific module or a
    > neutered :-) module would be a convincing argument?
    
    You can implement support for additional file security attributes
    like ACLs without using the extended attributes kernel patch or a special
    filesystem type like XFS.  The LSM-based SELinux security module maintains
    mapping files in each filesystem that map inodes to file security
    contexts.  This works just fine with existing filesystem types, but has
    disadvantages in terms of performance and consistency that would be
    better addressed through real filesystem support for extended attributes.
    Anyway, SGI may be able to provide a POSIX ACLs security module that
    doesn't depend on a kernel patch.  But I don't know what Casey had in mind
    - I suspect that they do currently depend on the extended attributes patch
    or on XFS.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 05:53:31 PST