On Sat, 2010-01-23 at 09:46 -0800, John Reiser wrote: > > http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720 > > Q: What is the patent status of SELinux? List all the patents and > patent applications that are "owned by SElinux." List those that > were consciously avoided or worked-around. Give the citations > which constitute prior art to protect the un-patented aspects. There were 3 patents that were alleged (but never tested in court) in 2002 to be applicable to SELinux: 4,621,321; 4,701,840; 4,713,753. NSA issued a statement regarding the matter. The last of those 3 patents expired in Feb 2005. I'm not aware of any other patent claims related to SELinux. The SELinux site has background information including papers with extensive citations covering its design and implementation. I doubt you could answer your questions for most of the other software in Fedora, so I'm not sure what makes SELinux unique there. > Q: Is 'tar' the only Fedora-packaged file manipulator that is SELinux > aware? All of the following apps ignore file contexts, and thus > do not "interoperate" with SELinux (do not preserve context labels): > cp > cp -a > cpio > rsync # even with local pathnames only > zip/unzip, gzip, bzip2, 7zip, lzma, xz > sccs, rcs, cvs, svn, mercurial (hg), git, perforce > any user-level network protocol: file://, ftp://, http:// > (therefore: rsync, curl, wget, ftp, sftp, scp, ...) At least in modern Fedora, cp -a tries to preserve security context, although it should fail gracefully if not allowed by policy. $ cp -a /etc/passwd . $ ls -Z passwd -rw-r--r--. sds sds unconfined_u:object_r:etc_t:s0 passwd Or you can use cp --preserve=context to explicitly require preservation of security context. Likewise, rsync has xattr support enabled via the -X option, although it only seems to try to preserve security contexts if run as root. $ sudo rsync -avX /etc . $ ls -Z etc/passwd -rw-r--r--. root root system_u:object_r:etc_t:s0 etc/passwd > Q: Do file context labels and policy access rules form a "stationary > process", such that the only things that matter are the most-recent > label and the current policy; any previous history has no effect? > Therefore omitting intermediate policy updates, reverting and > applying different intermediate policy, applying restorecontext > or re-labelling at any time, etc., do not matter? In particular, > re-labelling is idempotent: if done two times in succession > then the second time changes nothing? Also, if two different > machines have the same SELinux policy installed [rpm -q], no > [current] local changes to policy, and have just done a relabel, > then is the on-disk representation bit-for-bit identical? It should be, yes. > Q: I have a harddrive partition with a mounted and readonly > 4.5GB ext2/ext3/ext4 filesystem with non-default file context labels. > I want to clone this filesystem onto a DVD-ROM, mount the replicated > DVD-ROM on multiple other systems, and get the same behavior > on the replicated systems as on the original system. How? I'll have to leave that one for someone else to answer. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
