Re: SELinux metadata protection

From: Stephen Smalley (sds@private)
Date: Tue Jan 03 2006 - 07:46:50 PST


On Mon, 2006-01-02 at 14:06 -0500, schaufler-ca.com - Casey Schaufler
wrote:
> Casey takes a deep breath...
> 
> The filename is not an attribute of the file.
> The pathname components are data contained
> in directory entries. The association of path name
> to inode number is one way. There is no association
> of path name from file. Really. This is the thing
> that make audit hard.
> 
> Yes, I know "It's obvious". It's just not true.

The world is ending because I agree with Casey on this one...
The filename is not an attribute of the file, and we do not want this
type of filtering on directory reads.  Use the permissions on the
directory itself to control who can see the names it contains.  It is
the data container for the filenames.

Use polyinstantiation aka Multi-Level Directories aka moldy directories
for shared directories like /tmp.

-- 
Stephen Smalley
National Security Agency



This archive was generated by hypermail 2.1.3 : Tue Jan 03 2006 - 07:41:46 PST