SELinux survey (was RE: Stupid F7 boot loop)
Rahul Sundaram
sundaram at fedoraproject.org
Thu Aug 30 15:04:42 UTC 2007
Les Mikesell wrote:
> Rahul Sundaram wrote:
>>
>> http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/
>
>
> This article doesn't explain whether it follows standards or will always
> be a single-supplier non-standard extension.
That's not the focus of the article. There are other documentation
available for what you want to know.
What standard are you talking about? There is no single supplier nor is
this a non-standard extension. SELinux is merged upstream and uses
extended attributions (xattr) which is not SELinux specific.
Multiple distributions and operating systems support the same
mechanisms. See http://selinux.sourceforge.net/ and
http://www.trustedbsd.org/sebsd.html for some details.
All distributions that ship policy today are based on the reference
policy mechanism with customizations to enable them work with
differences in distributions or can be tweaked to enforce different
security restrictions (strict vs targeted or something else)
If you are using SELinux,
> can you still transparently replace your local disks with network mounts
> where the systems hosting the disks are appliances or running some
> other OS?
You can. Most of the software don't require any SELinux specify
modifications and a central policy will be applied on them. Filesystems
that don't read the extended attributes will ignore it (an example of
this is NFS. I believe all others .You can assign a specific context via
the mount command over a entire mount if the filesystem does not support
extended attributes. More details on the mount man page.
If you can't do that today, is the standard published to
> permit it eventually?
You can find examples on how to add extended attribute support by
looking at the existing software if that is what you are asking for.
Rahul
More information about the users
mailing list