We are working on the Fedora SELinux FAQ

Jeronimo Zucco jczucco at ucs.br
Mon Jan 25 15:48:48 UTC 2010


    -  Backup softwares with xattr permission support, like bacula: 
http://www.bacula.org . I don't know if others backup softwares support 
this feature.

-- 
Jeronimo Zucco
http://jczucco.blogspot.com
Universidade de Caxias do Sul - NPDU



On 01/25/2010 01:24 PM, Stephen Smalley wrote:
> On Sat, 2010-01-23 at 09:46 -0800, John Reiser wrote:
>    
>>> http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720
>>>        
>> Q: What is the patent status of SELinux?  List all the patents and
>>      patent applications that are "owned by SElinux."  List those that
>>      were consciously avoided or worked-around.  Give the citations
>>      which constitute prior art to protect the un-patented aspects.
>>      
> There were 3 patents that were alleged (but never tested in court) in
> 2002 to be applicable to SELinux: 4,621,321; 4,701,840; 4,713,753.  NSA
> issued a statement regarding the matter. The last of those 3 patents
> expired in Feb 2005.  I'm not aware of any other patent claims related
> to SELinux.  The SELinux site has background information including
> papers with extensive citations covering its design and implementation.
>
> I doubt you could answer your questions for most of the other software
> in Fedora, so I'm not sure what makes SELinux unique there.
>
>    
>> Q: Is 'tar' the only Fedora-packaged file manipulator that is SELinux
>>      aware?  All of the following apps ignore file contexts, and thus
>>      do not "interoperate" with SELinux (do not preserve context labels):
>>         cp
>>         cp -a
>>         cpio
>>         rsync  # even with local pathnames only
>>         zip/unzip, gzip, bzip2, 7zip, lzma, xz
>>         sccs, rcs, cvs, svn, mercurial (hg), git, perforce
>>         any user-level network protocol: file://, ftp://, http://
>>            (therefore: rsync, curl, wget, ftp, sftp, scp, ...)
>>      
> At least in modern Fedora, cp -a tries to preserve security context,
> although it should fail gracefully if not allowed by policy.
> $ cp -a /etc/passwd .
> $ ls -Z passwd
> -rw-r--r--. sds sds unconfined_u:object_r:etc_t:s0   passwd
>
> Or you can use cp --preserve=context to explicitly require preservation
> of security context.
>
> Likewise, rsync has xattr support enabled via the -X option, although it
> only seems to try to preserve security contexts if run as root.
> $ sudo rsync -avX /etc .
> $ ls -Z etc/passwd
> -rw-r--r--. root root system_u:object_r:etc_t:s0       etc/passwd
>
>    
>> Q: Do file context labels and policy access rules form a "stationary
>>      process", such that the only things that matter are the most-recent
>>      label and the current policy; any previous history has no effect?
>>      Therefore omitting intermediate policy updates, reverting and
>>      applying different intermediate policy, applying restorecontext
>>      or re-labelling at any time, etc., do not matter?  In particular,
>>      re-labelling is idempotent: if done two times in succession
>>      then the second time changes nothing?  Also, if two different
>>      machines have the same SELinux policy installed [rpm -q], no
>>      [current] local changes to policy, and have just done a relabel,
>>      then is the on-disk representation bit-for-bit identical?
>>      
> It should be, yes.
>
>    
>> Q: I have a harddrive partition with a mounted and readonly
>>      4.5GB ext2/ext3/ext4 filesystem with non-default file context labels.
>>      I want to clone this filesystem onto a DVD-ROM, mount the replicated
>>      DVD-ROM on multiple other systems, and get the same behavior
>>      on the replicated systems as on the original system.  How?
>>      
> I'll have to leave that one for someone else to answer.
>
>    




More information about the selinux mailing list