Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964809AbWJYRW1 (ORCPT ); Wed, 25 Oct 2006 13:22:27 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S965223AbWJYRW1 (ORCPT ); Wed, 25 Oct 2006 13:22:27 -0400 Received: from mx1.redhat.com ([66.187.233.31]:16543 "EHLO mx1.redhat.com") by vger.kernel.org with ESMTP id S964809AbWJYRW0 (ORCPT ); Wed, 25 Oct 2006 13:22:26 -0400 From: David Howells In-Reply-To: <453F9555.1050201@wolfmountaingroup.com> References: <453F9555.1050201@wolfmountaingroup.com> <16969.1161771256@redhat.com> <5c49b0ed0610250952i2fcc64b7t47fb7565cada14c6@mail.gmail.com> To: "Jeff V. Merkey" Cc: Nate Diller , sds@tycho.nsa.gov, jmorris@namei.org, chrisw@sous-sol.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, aviro@redhat.com, Christoph Hellwig Subject: Re: Security issues with local filesystem caching X-Mailer: MH-E 8.0; nmh 1.1; GNU Emacs 22.0.50 Date: Wed, 25 Oct 2006 18:21:16 +0100 Message-ID: <25083.1161796876@redhat.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 838 Lines: 18 Jeff V. Merkey wrote: > SELinux support addresses all of these issues for B1 level security quite > well with mandatory access controls at the fs layers. In fact, it works so > well, when enabled you cannot even run apache on top of an FS unless > configured properly. How? The problem I've got is that the caching code would be creating and accessing files and directories with the wrong security context - that of the calling process - and not a context suitable for sharing things in the cache whilst protecting them from userspace as best we can. David - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/