Date: Tue, 18 Dec 2007 08:43:11 -0800 (PST)
From: Casey Schaufler <casey@schaufler-ca.com>
Reply-To: casey@schaufler-ca.com
Subject: Re: [patch 1/2] [RFC] Simple tamper-proof device filesystem.
To: Valdis.Kletnieks@vt.edu, Pavel Machek <pavel@ucw.cz>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
       linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
In-Reply-To: <22795.1197993320@turing-police.cc.vt.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-ID: <968709.86780.qm@web36604.mail.mud.yahoo.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1007
Lines: 30


--- Valdis.Kletnieks@vt.edu wrote:

> On Thu, 06 Dec 2007 15:29:07 GMT, Pavel Machek said:
> > 
> > > Why not use SELinux?
> > > 
> > >  Because SELinux doesn't guarantee filename and its attribute.
> > >  The purpose of this filesystem is to ensure filename and its attribute
> > >  (e.g. /dev/null is guaranteed to be a character device file
> > >  with major=1 and minor=3).
> > 
> > Why not improve selinux to be able to assign label of new file based
> > on directory label and name?
> 
> The problem isn't the label, it's the *other* attributes...
> 
> What happens if /dev/null has the correct SELinux label, but the major/minor
> is 1,27 rather than 1,3?

Isn't this the kind of thing that Bastille is good for?


Casey Schaufler
casey@schaufler-ca.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/