Re: [PATCH] Extended Attributes for Security Modules against 2.5.68

From: Stephen C. Tweedie (sctat_private)
Date: Mon Apr 28 2003 - 08:59:16 PDT

  • Next message: Stephen Smalley: "[RFC][PATCH] Move security_d_instantiate hook calls in 2.5.68"

    Hi,
    
    On Wed, 2003-04-23 at 19:42, Christoph Hellwig wrote:
    > On Wed, Apr 23, 2003 at 02:35:59PM -0400, Stephen Smalley wrote:
    > > The idea of using separate attribute names for each security module was
    > > already discussed at length when I posted the original RFC, and I've
    > > already made the case that this is not desirable.  Please see the
    > > earlier discussion.
    > 
    > No.  It's not acceptable that the same ondisk structure has a different
    > meaning depending on loaded modules.  If the xattrs have a different
    > meaning they _must_ have a different name.
    
    I'm not convinced --- I don't see much value in trying to preserve MAC
    semantics over load/unload of different security modules, so for sanity
    the important thing is just to be able to detect whether a security
    xattr "belongs" to the current module or not.  That can be done with a
    simple prefix in the xattr value itself.  Trying to make multiple MAC
    labels coexist in different xattrs seems to have little use.
    
    --Stephen
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Apr 28 2003 - 09:01:22 PDT