* No chance of using SELinux on rootfs without security namespace?
@ 2014-04-28 8:06 dE
2014-04-28 14:12 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: dE @ 2014-04-28 8:06 UTC (permalink / raw)
To: selinux
I just realized -- my rootfs doesn't support xattr (reiser4).
Is there any chance I can use SELinux?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: No chance of using SELinux on rootfs without security namespace?
2014-04-28 8:06 No chance of using SELinux on rootfs without security namespace? dE
@ 2014-04-28 14:12 ` Stephen Smalley
2014-04-29 4:21 ` dE
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2014-04-28 14:12 UTC (permalink / raw)
To: dE; +Cc: selinux
It would be difficult at best, unless you are only using it for a
minimalist root and everything else is on some other filesystem type.
Without xattrs, you do not have per-file security labels and therefore
cannot set up automatic domain transitions on any of the executables
in that filesystem or otherwise distinguish any of those files in the
policy. Lack of xattr support in a native Linux filesystem is a
significant drawback these days; xattrs are used not only for SELinux
but also for ACLs, file capabilities, and various application purposes
(user. namespace). reiser4 isn't in mainline AFAIK.
On Mon, Apr 28, 2014 at 1:06 AM, dE <de.techno@gmail.com> wrote:
> I just realized -- my rootfs doesn't support xattr (reiser4).
>
> Is there any chance I can use SELinux?
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: No chance of using SELinux on rootfs without security namespace?
2014-04-28 14:12 ` Stephen Smalley
@ 2014-04-29 4:21 ` dE
0 siblings, 0 replies; 3+ messages in thread
From: dE @ 2014-04-29 4:21 UTC (permalink / raw)
To: selinux
On 04/28/14 19:42, Stephen Smalley wrote:
> It would be difficult at best, unless you are only using it for a
> minimalist root and everything else is on some other filesystem type.
> Without xattrs, you do not have per-file security labels and therefore
> cannot set up automatic domain transitions on any of the executables
> in that filesystem or otherwise distinguish any of those files in the
> policy. Lack of xattr support in a native Linux filesystem is a
> significant drawback these days; xattrs are used not only for SELinux
> but also for ACLs, file capabilities, and various application purposes
> (user. namespace). reiser4 isn't in mainline AFAIK.
>
> On Mon, Apr 28, 2014 at 1:06 AM, dE <de.techno@gmail.com> wrote:
>> I just realized -- my rootfs doesn't support xattr (reiser4).
>>
>> Is there any chance I can use SELinux?
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
Thanks for clarifying that.
I'll try out SELinux in that fedora VM.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-04-29 4:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-28 8:06 No chance of using SELinux on rootfs without security namespace? dE
2014-04-28 14:12 ` Stephen Smalley
2014-04-29 4:21 ` dE
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.