Thanks Stephen for the clarifying.
So where can I find the patch you mentioned? I want to try it.
Also, I will try with the new feature of NFSv4.
Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Wed, 2008-04-23 at 12:07 -0700, run zhang wrote:
> In the NSA example policy package, the genfs_contexts explains that
> except /proc, all other filesystems without xattr support are limited
> to a single entry /. Can I specify the subdirs of a filesystem with
> different lables with genfscon just like /proc?
> More specifically, I am using NFS and cramfs, where I specify
> genfscon nfs / root_t
> genfscon nfs /bin bin_t
>
> However, after boot and load the result policy, still every dir in
> rootfs is labelled with root_t. It seems the same result for cramfs.
> According this thread:
> http://marc.info/?l=selinux&m=102587231814793&w=2, it seems that this
> should be doable.
> Please give hand, thanks very much!
At the time of that thread, SELinux did support use of genfs_contexts
for other filesystem types. However, that support was dropped because
a) we couldn't provide strong guarantees about such labeling for other
filesystem types (in the case of proc, we can generate an unambiguous
and immutable pathname from the internal kernel data structures to use
as a key; most other filesystem types would suffer from aliasing and
userspace-manipulation issues), and b) it was frowned upon by the vfs
folks as unacceptable for merging selinux into mainline. It was
nonetheless a relatively simple patch to SELinux to support it if you
are willing to patch your kernel.
For NFS, you are currently limited to per-mount granularity (using the
mount context= option) or the default genfscon label. There is ongoing
work on labeled NFSv4 support to provide native support for per-file
labeling.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
