Re: [PATCH] Extended Attributes for Security Modules against 2.5.68

From: Andreas Dilger (adilgerat_private)
Date: Wed Apr 23 2003 - 11:54:52 PDT

  • Next message: Stephen Smalley: "Re: [PATCH] Extended Attributes for Security Modules against 2.5.68"

    On Apr 23, 2003  11:25 -0700, Chris Wright wrote:
    > * Christoph Hellwig (hchat_private) wrote:
    > > The other question is why do you name them system.security?  The name
    > > sounds a bit too generic to me.  ACLs are certainly a security feature
    > > and have different ATTRS, similar for the Posix capability and MAC
    > > support in XFS.  As selinux is the flask implementation for Linux
    > > what about system.flask_label?  (or system.selinux_label?)
    > 
    > It's really a namespace issue for user apps trying to deal with xattrs.
    > Being able to display the xattrs associated with a file in sane way,
    > like getxattr(path, "system.security", ...).  Otherwise something like
    > listxattr() then gettxttr(... "system.security.[blah]" ...).  Total
    > freeform naming is a headache for userspace to deal with.  Esp. since we
    > don't want to teach all userland tools about each individual module/policy.
    
    Well, with the exception of backup/restore (which will just treat this
    EA data as opaque and doesn't really care whether the names are fixed
    or not), the tools DO need to understand each individual module
    or policy in order to make any sense of the data.  Otherwise, all you
    can do is print out some binary blob which is no use to anyone.
    
    So, either the tools look for "system.security", and then have to
    understand an internal magic for each module to know what to do with
    the data, or it looks for "system.<modulename>" for only module names
    that it actually understands.
    
    The only reason to use a common "system.security" is if the actual data
    stored therein was usable by more than a single security module.
    
    Cheers, Andreas
    --
    Andreas Dilger
    http://sourceforge.net/projects/ext2resize/
    http://www-mddsp.enel.ucalgary.ca/People/adilger/
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 11:57:38 PDT