- Backup softwares with xattr permission support, like bacula: http://www.bacula.org . I don't know if others backup softwares support this feature. -- Jeronimo Zucco http://jczucco.blogspot.com Universidade de Caxias do Sul - NPDU On 01/25/2010 01:24 PM, Stephen Smalley wrote: > On Sat, 2010-01-23 at 09:46 -0800, John Reiser wrote: > >>> http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720 >>> >> Q: What is the patent status of SELinux? List all the patents and >> patent applications that are "owned by SElinux." List those that >> were consciously avoided or worked-around. Give the citations >> which constitute prior art to protect the un-patented aspects. >> > There were 3 patents that were alleged (but never tested in court) in > 2002 to be applicable to SELinux: 4,621,321; 4,701,840; 4,713,753. NSA > issued a statement regarding the matter. The last of those 3 patents > expired in Feb 2005. I'm not aware of any other patent claims related > to SELinux. The SELinux site has background information including > papers with extensive citations covering its design and implementation. > > I doubt you could answer your questions for most of the other software > in Fedora, so I'm not sure what makes SELinux unique there. > > >> Q: Is 'tar' the only Fedora-packaged file manipulator that is SELinux >> aware? All of the following apps ignore file contexts, and thus >> do not "interoperate" with SELinux (do not preserve context labels): >> cp >> cp -a >> cpio >> rsync # even with local pathnames only >> zip/unzip, gzip, bzip2, 7zip, lzma, xz >> sccs, rcs, cvs, svn, mercurial (hg), git, perforce >> any user-level network protocol: file://, ftp://, http:// >> (therefore: rsync, curl, wget, ftp, sftp, scp, ...) >> > At least in modern Fedora, cp -a tries to preserve security context, > although it should fail gracefully if not allowed by policy. > $ cp -a /etc/passwd . > $ ls -Z passwd > -rw-r--r--. sds sds unconfined_u:object_r:etc_t:s0 passwd > > Or you can use cp --preserve=context to explicitly require preservation > of security context. > > Likewise, rsync has xattr support enabled via the -X option, although it > only seems to try to preserve security contexts if run as root. > $ sudo rsync -avX /etc . > $ ls -Z etc/passwd > -rw-r--r--. root root system_u:object_r:etc_t:s0 etc/passwd > > >> Q: Do file context labels and policy access rules form a "stationary >> process", such that the only things that matter are the most-recent >> label and the current policy; any previous history has no effect? >> Therefore omitting intermediate policy updates, reverting and >> applying different intermediate policy, applying restorecontext >> or re-labelling at any time, etc., do not matter? In particular, >> re-labelling is idempotent: if done two times in succession >> then the second time changes nothing? Also, if two different >> machines have the same SELinux policy installed [rpm -q], no >> [current] local changes to policy, and have just done a relabel, >> then is the on-disk representation bit-for-bit identical? >> > It should be, yes. > > >> Q: I have a harddrive partition with a mounted and readonly >> 4.5GB ext2/ext3/ext4 filesystem with non-default file context labels. >> I want to clone this filesystem onto a DVD-ROM, mount the replicated >> DVD-ROM on multiple other systems, and get the same behavior >> on the replicated systems as on the original system. How? >> > I'll have to leave that one for someone else to answer. > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
