* selinux on zfs(onlinux)
@ 2013-06-07 0:14 Matthew Thode
2013-06-07 0:56 ` Patrick K., ITF
2013-06-07 17:07 ` Stephen Smalley
0 siblings, 2 replies; 9+ messages in thread
From: Matthew Thode @ 2013-06-07 0:14 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 514 bytes --]
zfs is very close to usable as a root file-system with selinux, but is
just missing one thing, it doesn't know what to set the root context to
on mount.
I am going to petition for this to be added as a property, but should it
be called rootcontext (want to make sure it's valid).
system_u:object_r:fs_t is what I used just to get my system working
(including stuff like /usr, but meh).
here is the upstream bug if curious
https://github.com/zfsonlinux/zfs/issues/1504
--
-- Matthew Thode
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 0:14 selinux on zfs(onlinux) Matthew Thode
@ 2013-06-07 0:56 ` Patrick K., ITF
2013-06-07 2:24 ` Matthew Thode
2013-06-07 17:07 ` Stephen Smalley
1 sibling, 1 reply; 9+ messages in thread
From: Patrick K., ITF @ 2013-06-07 0:56 UTC (permalink / raw)
To: mthode; +Cc: selinux
Hello,
Excuse me, But ZFS is a patented technology Owned by Oracle Inc., and
only its implementation in CDDL was/is free.
CDDL is incompatible with GPL,
How come that ZFS can be used as root File System on Linux then?! , ZFS
cannot be integrated into kernel due to Legal reasons as explained,
unless every recipient makes modification and compilation himself/herself.
Even if you make a Module you cannot distribute it as binary, subject to
derivative work.
If you distribute it as Module you must distribute source code, and the
recipient must compile the whole kernel (on every system that is being
deployed).
If you compile into binary module and distribute it, then due to linking
you still violate CDDL (derivative work)
All may result in getting sued by Oracle Inc. due to Patent violation.
Best regards,
Patrick K.
On 6/6/2013 8:14 PM, Matthew Thode wrote:
> zfs is very close to usable as a root file-system with selinux, but is
> just missing one thing, it doesn't know what to set the root context to
> on mount.
>
> I am going to petition for this to be added as a property, but should it
> be called rootcontext (want to make sure it's valid).
>
> system_u:object_r:fs_t is what I used just to get my system working
> (including stuff like /usr, but meh).
>
>
> here is the upstream bug if curious
> https://github.com/zfsonlinux/zfs/issues/1504
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 0:56 ` Patrick K., ITF
@ 2013-06-07 2:24 ` Matthew Thode
2013-06-07 10:38 ` Patrick K., ITF
2013-06-07 13:48 ` Patrick K., ITF
0 siblings, 2 replies; 9+ messages in thread
From: Matthew Thode @ 2013-06-07 2:24 UTC (permalink / raw)
To: Patrick K., ITF; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2519 bytes --]
On 06/06/2013 07:56 PM, Patrick K., ITF wrote:
> Hello,
>
> Excuse me, But ZFS is a patented technology Owned by Oracle Inc., and
> only its implementation in CDDL was/is free.
>
> CDDL is incompatible with GPL,
>
> How come that ZFS can be used as root File System on Linux then?! , ZFS
> cannot be integrated into kernel due to Legal reasons as explained,
> unless every recipient makes modification and compilation himself/herself.
>
> Even if you make a Module you cannot distribute it as binary, subject to
> derivative work.
>
> If you distribute it as Module you must distribute source code, and the
> recipient must compile the whole kernel (on every system that is being
> deployed).
>
> If you compile into binary module and distribute it, then due to linking
> you still violate CDDL (derivative work)
>
> All may result in getting sued by Oracle Inc. due to Patent violation.
>
>
> Best regards,
>
> Patrick K.
>
> On 6/6/2013 8:14 PM, Matthew Thode wrote:
>> zfs is very close to usable as a root file-system with selinux, but is
>> just missing one thing, it doesn't know what to set the root context to
>> on mount.
>>
>> I am going to petition for this to be added as a property, but should it
>> be called rootcontext (want to make sure it's valid).
>>
>> system_u:object_r:fs_t is what I used just to get my system working
>> (including stuff like /usr, but meh).
>>
>>
>> here is the upstream bug if curious
>> https://github.com/zfsonlinux/zfs/issues/1504
>>
>>
zfs version 28 was released under the cddl, which means it is not able
to be integrated statically into the kernel and then redistributed (my
interpretation). I can create my own static kernel image with zfs and
use it on my own though (and this is my preferred method of using it).
You are also able to use proprietary kernel modules as well. Ever use
the AFS (filesystem) on Linux? Here is a link as to what Linus has to
think on the mater.
http://linuxmafia.com/faq/Kernel/proprietary-kernel-modules.html
The CDDL provides a patent grant and the conflict only affects
distribution of linked binaries on the GPL end. Since the modules are
from Solaris, they are not considered a derived work, so the derived
work in the GPL is irrelevant. It is my interpretation that I can make
and distribute a module, but that is not the question here.
So, do you think the name for that zfs property would be accurate
(rootcontext)?
--
-- Matthew Thode
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 2:24 ` Matthew Thode
@ 2013-06-07 10:38 ` Patrick K., ITF
2013-06-07 13:48 ` Patrick K., ITF
1 sibling, 0 replies; 9+ messages in thread
From: Patrick K., ITF @ 2013-06-07 10:38 UTC (permalink / raw)
To: mthode; +Cc: selinux
On 6/6/2013 10:24 PM, Matthew Thode wrote:
> On 06/06/2013 07:56 PM, Patrick K., ITF wrote:
>> Hello,
>>
>> Excuse me, But ZFS is a patented technology Owned by Oracle Inc., and
>> only its implementation in CDDL was/is free.
>>
>> CDDL is incompatible with GPL,
>>
>> How come that ZFS can be used as root File System on Linux then?! , ZFS
>> cannot be integrated into kernel due to Legal reasons as explained,
>> unless every recipient makes modification and compilation himself/herself.
>>
>> Even if you make a Module you cannot distribute it as binary, subject to
>> derivative work.
>>
>> If you distribute it as Module you must distribute source code, and the
>> recipient must compile the whole kernel (on every system that is being
>> deployed).
>>
>> If you compile into binary module and distribute it, then due to linking
>> you still violate CDDL (derivative work)
>>
>> All may result in getting sued by Oracle Inc. due to Patent violation.
>>
>>
>> Best regards,
>>
>> Patrick K.
>>
>> On 6/6/2013 8:14 PM, Matthew Thode wrote:
>>> zfs is very close to usable as a root file-system with selinux, but is
>>> just missing one thing, it doesn't know what to set the root context to
>>> on mount.
>>>
>>> I am going to petition for this to be added as a property, but should it
>>> be called rootcontext (want to make sure it's valid).
>>>
>>> system_u:object_r:fs_t is what I used just to get my system working
>>> (including stuff like /usr, but meh).
>>>
>>>
>>> here is the upstream bug if curious
>>> https://github.com/zfsonlinux/zfs/issues/1504
>>>
>>>
>
> zfs version 28 was released under the cddl, which means it is not able
> to be integrated statically into the kernel and then redistributed (my
> interpretation). I can create my own static kernel image with zfs and
> use it on my own though (and this is my preferred method of using it).
>
I believe you need to consult with a lawyer, that's not entirely right,
I'm very well aware of that.(FreeBSD and Illumos - former OpenSolaris-
The question was rhetorical making you pay attention to the legal facts)
> You are also able to use proprietary kernel modules as well. Ever use
> the AFS (filesystem) on Linux? Here is a link as to what Linus has to
> think on the mater.
> http://linuxmafia.com/faq/Kernel/proprietary-kernel-modules.html
>
OpenAFS has different License it is IPL. Do you pay attention to the
licenses? You need to ask your lawyer.
And it seems you do not read what Linus wrote, he admits about modules
" ... (they can potentially be considered derived works, even if you
don't actually link them into the kernel, per se) ..."
He somewhat wants to ignore that, as long as the IPR owner has no issue
Linus won't cause trouble, but Oracle Inc. has issues on this, They are
selling ZFS Storage and ZFS is a core feature of Solaris, They have very
clear commercial interest in it, in fact originally CDDL was chosen (at
SUN) to some extent due to keeping their rights.
> The CDDL provides a patent grant and the conflict only affects
> distribution of linked binaries on the GPL end. Since the modules are
> from Solaris, they are not considered a derived work, so the derived
> work in the GPL is irrelevant. It is my interpretation that I can make
> and distribute a module, but that is not the question here.
>
This is different, The owner of the IPR (Intellectual Property Right)
Originally SUN Micros systems Inc and Now Oracle Inc, has not created
that Module, and has not granted such right, only CDDL version is free
and comes with granted right not infringing the patents.
When third parties create module for Kernel they combine it with enough
code and adapt it with Linux Kernel that constitutes a derivative work,
which is in case of kernel it should be in GPL, GPL requires you to
make all the code GPL, you cannot change the License of the CDDL parts
(according to CDDL grant of rights), if you do that you have terminated
your agreement and you lose granted rights to patents.
When you create the Module in the case of File system you make
derivative work of Linux then the entire work needs to be in GPL (While
CDDL license does not permit you to change the license of those parts
that are already in CDDL)
In an enterprise if you deploy such Module, and use outsourced
technicians or companies then they are distributing illegal and
unlicensed code, since the fair usage case is when the owner of the
system applies modification to his/her/its system, if third parties do
so it is a clear case of distribution.
Thus no sane and law abiding management would let you use that.
Please see this page:
https://blogs.oracle.com/chandan/entry/copyrights_licenses_and_cddl_illustrated
> So, do you think the name for that zfs property would be accurate
> (rootcontext)?
The correct legal method of using ZFS under Linux is using it through
(iSCSI, Fiber Channel, ATAoE) SAN or NAS on FreeBSD, Illumos, Solaris or
Oracle's ZFS Storage systems.
Notice: Legal issues explained in this message are for information
purposes only and should not be considered as legal advice, please
consult with your lawyer for legal advice.
Best Regards,
Patrick K.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 2:24 ` Matthew Thode
2013-06-07 10:38 ` Patrick K., ITF
@ 2013-06-07 13:48 ` Patrick K., ITF
1 sibling, 0 replies; 9+ messages in thread
From: Patrick K., ITF @ 2013-06-07 13:48 UTC (permalink / raw)
To: mthode; +Cc: selinux
Sorry If I'm double posting, My mail client software crashed during
drafting answer, so I don't know if mine posted or not.
On 6/6/2013 10:24 PM, Matthew Thode wrote:
> On 06/06/2013 07:56 PM, Patrick K., ITF wrote:
>> Hello,
>>
>> Excuse me, But ZFS is a patented technology Owned by Oracle Inc., and
>> only its implementation in CDDL was/is free.
>>
>> CDDL is incompatible with GPL,
>>
>> How come that ZFS can be used as root File System on Linux then?! , ZFS
>> cannot be integrated into kernel due to Legal reasons as explained,
>> unless every recipient makes modification and compilation
himself/herself.
>>
>> Even if you make a Module you cannot distribute it as binary, subject to
>> derivative work.
>>
>> If you distribute it as Module you must distribute source code, and the
>> recipient must compile the whole kernel (on every system that is being
>> deployed).
>>
>> If you compile into binary module and distribute it, then due to linking
>> you still violate CDDL (derivative work)
>>
>> All may result in getting sued by Oracle Inc. due to Patent violation.
>>
>>
>> Best regards,
>>
>> Patrick K.
>>
>> On 6/6/2013 8:14 PM, Matthew Thode wrote:
>>> zfs is very close to usable as a root file-system with selinux, but is
>>> just missing one thing, it doesn't know what to set the root context to
>>> on mount.
>>>
>>> I am going to petition for this to be added as a property, but
should it
>>> be called rootcontext (want to make sure it's valid).
>>>
>>> system_u:object_r:fs_t is what I used just to get my system working
>>> (including stuff like /usr, but meh).
>>>
>>>
>>> here is the upstream bug if curious
>>> https://github.com/zfsonlinux/zfs/issues/1504
>>>
>>>
>
> zfs version 28 was released under the cddl, which means it is not able
> to be integrated statically into the kernel and then redistributed (my
> interpretation). I can create my own static kernel image with zfs and
> use it on my own though (and this is my preferred method of using it).
>
I believe you need to consult with a lawyer, that's not entirely right,
I'm very well aware of that.(FreeBSD and Illumos - former OpenSolaris-
The question was rhetorical making you pay attention to the legal facts)
> You are also able to use proprietary kernel modules as well. Ever use
> the AFS (filesystem) on Linux? Here is a link as to what Linus has to
> think on the mater.
> http://linuxmafia.com/faq/Kernel/proprietary-kernel-modules.html
>
OpenAFS has different License it is IPL. Do you pay attention to the
licenses? You need to ask your lawyer.
And it seems you do not read what Linus wrote, he admits about modules "
... (they can potentially be considered derived works, even if you don't
actually link them into the kernel, per se) ..."
He somewhat wants to ignore that, as long as the IPR owner has no issue
Linus won't cause trouble, but Oracle Inc. has issues on this, They are
selling ZFS Storage and ZFS is a core feature of Solaris, They have very
clear commercial interest in it, in fact originally CDDL was chosen (at
SUN) to some extent due to keeping their rights.
> The CDDL provides a patent grant and the conflict only affects
> distribution of linked binaries on the GPL end. Since the modules are
> from Solaris, they are not considered a derived work, so the derived
> work in the GPL is irrelevant. It is my interpretation that I can make
> and distribute a module, but that is not the question here.
>
This is different, The owner of the IPR (Intellectual Property Right)
Originally SUN Micros systems Inc and Now Oracle Inc, has not created
that Module, and has not granted such right, only CDDL version is free
and comes with granted right not infringing the patents.
When third parties create module for Kernel they combine it with enough
code and adapt it with Linux Kernel that constitutes a derivative work,
which is in case of kernel it should be in GPL, GPL requires you to
make all the code GPL, you cannot change the License of the CDDL parts
(according to CDDL grant of rights), if you do that you would terminate
your agreement and you would lose granted rights to patents.
When you create the Module in case of File system you make derivative
work of Linux then the entire work needs to be in GPL (While CDDL
license does not permit you to change the license of those parts that
are already in CDDL)
In an enterprise if you deploy such Module, and use outsourced
technicians or companies then they are distributing illegal and
unlicensed code, since the fair usage case is when the owner of the
system applies modification to his/her/its system, if third parties do
so it is a clear case of distribution.
Thus no sane and law abiding management would let you use that.
Please see this page:
https://blogs.oracle.com/chandan/entry/copyrights_licenses_and_cddl_illustrated
> So, do you think the name for that zfs property would be accurate
> (rootcontext)?
The correct legal method of using ZFS under Linux is using it through
(iSCSI, Fiber Channel, ATAoE) SAN or NAS on FreeBSD, Illumos, Solaris or
Oracle's ZFS Storage systems. (or other commercial ZFS solutions based
on these OSes)
What you ask here is subject to "promotion and facilitation of patent
infringement" which makes people liable under tort law, like many sites
out there promoting ZFS workarounds for Linux Kernel.
Notice: Legal issues explained in this message are for information
purposes only and should not be considered as legal advice, please
consult with your lawyer for legal advice.
Best Regards,
Patrick K.
P.S. Sorry If I'm double posting, My mail client software crashed during
drafting answer, so I don't know if mine posted or not.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 0:14 selinux on zfs(onlinux) Matthew Thode
2013-06-07 0:56 ` Patrick K., ITF
@ 2013-06-07 17:07 ` Stephen Smalley
2013-06-07 17:14 ` Stephen Smalley
1 sibling, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2013-06-07 17:07 UTC (permalink / raw)
To: mthode; +Cc: selinux
On 06/06/2013 08:14 PM, Matthew Thode wrote:
> zfs is very close to usable as a root file-system with selinux, but is
> just missing one thing, it doesn't know what to set the root context to
> on mount.
>
> I am going to petition for this to be added as a property, but should it
> be called rootcontext (want to make sure it's valid).
>
> system_u:object_r:fs_t is what I used just to get my system working
> (including stuff like /usr, but meh).
>
>
> here is the upstream bug if curious
> https://github.com/zfsonlinux/zfs/issues/1504
The mount options interpreted by SELinux are:
1. context= (treat all inodes in the filesystem as if they had the
specified security context regardless of any on-disk extended attribute
value),
2. fscontext= (treat the filesystem/superblock as if it had the
specified security context, used in certain permission checks affecting
filesystem operations like mount and umount),
3. rootcontext= (treat the root inode in the filesystem as if it had the
specified security context but the normal behavior for the rest, useful
for assigning an initial context to a root directory of e.g. a tmpfs
mount), and
4. defcontext= (treat any file that lacks an extended attribute as if it
had the specified security context).
The context you specified is a fscontext (fs_t), not one normally used
for inodes. But I'm not sure which one you meant to use or whether you
ultimately ought to support them all.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 17:07 ` Stephen Smalley
@ 2013-06-07 17:14 ` Stephen Smalley
2013-06-07 19:37 ` Matthew Thode
0 siblings, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2013-06-07 17:14 UTC (permalink / raw)
To: Stephen Smalley; +Cc: mthode, selinux
On 06/07/2013 01:07 PM, Stephen Smalley wrote:
> On 06/06/2013 08:14 PM, Matthew Thode wrote:
>> zfs is very close to usable as a root file-system with selinux, but is
>> just missing one thing, it doesn't know what to set the root context to
>> on mount.
>>
>> I am going to petition for this to be added as a property, but should it
>> be called rootcontext (want to make sure it's valid).
>>
>> system_u:object_r:fs_t is what I used just to get my system working
>> (including stuff like /usr, but meh).
>>
>>
>> here is the upstream bug if curious
>> https://github.com/zfsonlinux/zfs/issues/1504
>
> The mount options interpreted by SELinux are:
> 1. context= (treat all inodes in the filesystem as if they had the
> specified security context regardless of any on-disk extended attribute
> value),
>
> 2. fscontext= (treat the filesystem/superblock as if it had the
> specified security context, used in certain permission checks affecting
> filesystem operations like mount and umount),
>
> 3. rootcontext= (treat the root inode in the filesystem as if it had the
> specified security context but the normal behavior for the rest, useful
> for assigning an initial context to a root directory of e.g. a tmpfs
> mount), and
>
> 4. defcontext= (treat any file that lacks an extended attribute as if it
> had the specified security context).
>
> The context you specified is a fscontext (fs_t), not one normally used
> for inodes. But I'm not sure which one you meant to use or whether you
> ultimately ought to support them all.
Possibly a simpler method would be to just pass through any mount
options unknown to zfs to the kernel to allow interpretation and use by
the vfs and/or security modules. That would also allow use with other
security modules.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 17:14 ` Stephen Smalley
@ 2013-06-07 19:37 ` Matthew Thode
2013-06-10 12:18 ` Sven Vermeulen
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Thode @ 2013-06-07 19:37 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]
On 06/07/2013 12:14 PM, Stephen Smalley wrote:
> On 06/07/2013 01:07 PM, Stephen Smalley wrote:
>> On 06/06/2013 08:14 PM, Matthew Thode wrote:
>>> zfs is very close to usable as a root file-system with selinux, but is
>>> just missing one thing, it doesn't know what to set the root context to
>>> on mount.
>>>
>>> I am going to petition for this to be added as a property, but should it
>>> be called rootcontext (want to make sure it's valid).
>>>
>>> system_u:object_r:fs_t is what I used just to get my system working
>>> (including stuff like /usr, but meh).
>>>
>>>
>>> here is the upstream bug if curious
>>> https://github.com/zfsonlinux/zfs/issues/1504
>>
>> The mount options interpreted by SELinux are:
>> 1. context= (treat all inodes in the filesystem as if they had the
>> specified security context regardless of any on-disk extended attribute
>> value),
>>
>> 2. fscontext= (treat the filesystem/superblock as if it had the
>> specified security context, used in certain permission checks affecting
>> filesystem operations like mount and umount),
>>
>> 3. rootcontext= (treat the root inode in the filesystem as if it had the
>> specified security context but the normal behavior for the rest, useful
>> for assigning an initial context to a root directory of e.g. a tmpfs
>> mount), and
>>
>> 4. defcontext= (treat any file that lacks an extended attribute as if it
>> had the specified security context).
>>
>> The context you specified is a fscontext (fs_t), not one normally used
>> for inodes. But I'm not sure which one you meant to use or whether you
>> ultimately ought to support them all.
>
> Possibly a simpler method would be to just pass through any mount
> options unknown to zfs to the kernel to allow interpretation and use by
> the vfs and/or security modules. That would also allow use with other
> security modules.
>
>
ya, this is probably a better option. I do think that rootcontext
matches closest though, but am confused as to how it is different then
fscontext. I will suggest a more generic option though, thanks :D
--
-- Matthew Thode
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux on zfs(onlinux)
2013-06-07 19:37 ` Matthew Thode
@ 2013-06-10 12:18 ` Sven Vermeulen
0 siblings, 0 replies; 9+ messages in thread
From: Sven Vermeulen @ 2013-06-10 12:18 UTC (permalink / raw)
To: mthode; +Cc: SELinux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]
On Jun 7, 2013 9:50 PM, "Matthew Thode" <mthode@mthode.org> wrote:
>
> On 06/07/2013 12:14 PM, Stephen Smalley wrote:
> > On 06/07/2013 01:07 PM, Stephen Smalley wrote:
> >> On 06/06/2013 08:14 PM, Matthew Thode wrote:
> >>> zfs is very close to usable as a root file-system with selinux, but is
> >>> just missing one thing, it doesn't know what to set the root context
to
> >>> on mount.
> >>>
> >>> I am going to petition for this to be added as a property, but should
it
> >>> be called rootcontext (want to make sure it's valid).
> >>>
> >>> system_u:object_r:fs_t is what I used just to get my system working
> >>> (including stuff like /usr, but meh).
> >>>
> >>>
> >>> here is the upstream bug if curious
> >>> https://github.com/zfsonlinux/zfs/issues/1504
> >>
> >> The mount options interpreted by SELinux are:
> >> 1. context= (treat all inodes in the filesystem as if they had the
> >> specified security context regardless of any on-disk extended attribute
> >> value),
> >>
> >> 2. fscontext= (treat the filesystem/superblock as if it had the
> >> specified security context, used in certain permission checks affecting
> >> filesystem operations like mount and umount),
> >>
> >> 3. rootcontext= (treat the root inode in the filesystem as if it had
the
> >> specified security context but the normal behavior for the rest, useful
> >> for assigning an initial context to a root directory of e.g. a tmpfs
> >> mount), and
> >>
> >> 4. defcontext= (treat any file that lacks an extended attribute as if
it
> >> had the specified security context).
> >>
> >> The context you specified is a fscontext (fs_t), not one normally used
> >> for inodes. But I'm not sure which one you meant to use or whether you
> >> ultimately ought to support them all.
> >
> > Possibly a simpler method would be to just pass through any mount
> > options unknown to zfs to the kernel to allow interpretation and use by
> > the vfs and/or security modules. That would also allow use with other
> > security modules.
> >
> >
> ya, this is probably a better option. I do think that rootcontext
> matches closest though, but am confused as to how it is different then
> fscontext. I will suggest a more generic option though, thanks :D
The fscontext is only for the filesystem class, rootcontext is for the
mountpoint itself (thus directory and file (and other) classes).
Wkr,
Sven
[-- Attachment #2: Type: text/html, Size: 3231 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-06-10 12:18 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-07 0:14 selinux on zfs(onlinux) Matthew Thode
2013-06-07 0:56 ` Patrick K., ITF
2013-06-07 2:24 ` Matthew Thode
2013-06-07 10:38 ` Patrick K., ITF
2013-06-07 13:48 ` Patrick K., ITF
2013-06-07 17:07 ` Stephen Smalley
2013-06-07 17:14 ` Stephen Smalley
2013-06-07 19:37 ` Matthew Thode
2013-06-10 12:18 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.