selinux & external hd permissions.

[Russell Coker]

On Sunday 12 June 2005 23:23, Valdis.Kletnieks at vt.edu wrote:
> The data will be readable off any box that supports ext3 and extended
> attributes (I can't remember what happens if the kernel doesn't do the
> extended attributes - whether it won't mount, or it mounts-and-ignores).
> At worst, you'd need to drop to 'permissive' mode and/or restorecon.

Code to support XATTRs in Ext2/3 has been there for quite a while.  Code that 
works properly (and base Ext2/3 code that has no bugs related to this) is a 
bit newer.

If you have a file system with XATTRs on sym-links (SE Linux puts XATTRs on 
all file system objects) and then try to mount it on an older 2.4.x kernel 
then there will be problems, I can't remember if the problems merely made the 
file system unusable of whether a full kernel panic occurred.  In any case 
the result was not good.

If you need to share a disk with an old 2.4.x machine then a good solution is 
to mount it with -o context=...  Then the context is stored in kernel memory 
and never written to disk (unless you use a program such as mv or cp that 
does it - but it will not be done automatically by the kernel).

For an external device the context= mount option is good for security too.  
Devices that are mounted nosuid also inhibit domain_auto_trans() rules, but 
having arbitrary data types on files is not desirable.


But generally the answer is that there is no serious issue no matter what you 
want to do.  You just have to do it in the right way.

Also note that some new file system features in recent 2.6.x kernels are not 
supported on 2.4.x.  So you may have some issues with using an old kernel 
even if not using SE Linux.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page