[fmac-discuss] FMAC support needed in file system?

[Stephen Smalley]

On Tue, 2008-07-29 at 13:48 +0100, Darren J Moffat wrote:
> Stephen Smalley wrote:
> > GNU coreutils has incorporated SELinux support with the following
> > behavior:
> > - "cp -a" will try to preserve context but failure to do so does not
> > change its exit status, so it falls back to just preserving other
> > attributes if not allowed to preserve security contexts.
> > - "cp --preserve=context" is similar but will fail with a nonzero status
> > if it cannot preserve the context.
> 
> The OpenSolaris cp has:
> 
>       -@    Preserves extended attributes. cp attempts to copy all
>             of  the  source  file's extended attributes along with
>             the file data to the destination file.
> 
> 
>       -/    Preserves  extended  attributes  and  extended  system
>             attributes. Along with the file's data, the cp utility
>             attempts to copy extended attributes and extended sys-
>             tem  attributes  from  each  source file, and extended
>             system attributes associated with extended  attributes
>             to  the  destination  file.  If  cp  is unable to copy
>             extended attributes  or  extended  system  attributes,
>             then  a  diagnostic  message  is written to stderr and
>             (after processing any remaining operands) exits with a
>             non-zero exit status.
> 
> Note also:
> 
>    /usr/bin/cp
>       If the -p option is specified with either the -@  option  or
>       the -/ option, /usr/bin/cp behaves as follows
> 
>           o    When both -p and -@ are specified in any order, the
>                copy fails if extended attributes cannot be copied.
> 
>           o    When both -p and -/ are specified in any order, the
>                copy  fails if extended system attributes cannot be
>                copied.
> 
>    /usr/xpg4/bin/cp
>       If the -p option is specified with either the -@  option  or
>       the -/ option, /usr/xpg4/bin/cp behaves as follows:
> 
>           o    When both -p and -@ are specified, the last  option
>                specified  determines  whether  the  copy  fails if
>                extended attributes cannot be preserved.
> 
>           o    When both -p and -/ are specified, the last  option
>                specified  determines  whether  the  copy  fails if
>                extended system attributes cannot be preserved.
> 
> Other utilities (cpio,tar,pax,..) have a -/ and -@ flag as well.

Ok.  Only thing we have to be careful about is to make sure that
existing usage patterns by users and scripts don't suddenly break when
the FMAC context is present, as the access rules governing the ability
to set the FMAC context are different than the privileges or logic
governing the ability to set existing attributes.

Also, we want the userland API to remain independent of the storage
mechanism and to work cleanly across not only zfs but also tmpfs and any
other filesystem where it makes sense to be able to set and get
individual file contexts, including ultimately across NFSv4 when labeled
NFSv4 support gets implemented and standardized.

There will also be cases where even though the filesystem itself
supports storage of FMAC contexts, we won't trust it to provide them and
will want to treat all files on it as having a single admin-specified
FMAC context; in SELinux, this is the context= mount option, which also
serves to allow assigning a single context to filesystems that do not
support labeling at all.  When that mount option is used, the interface
for getting the file context returns that context rather than any actual
attribute value, and the interface for setting the file context fails
with EOPNOTSUPP.

-- 
Stephen Smalley
National Security Agency