--- Al Viro <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 03, 2007 at 03:23:15PM -0700, Casey Schaufler wrote:
> > 1. Create /moldy at "_"
> > 2. For each label you care about
> >2a. Create /moldy/
> >2b. Set the label of /moldy/ to
> > 3. ln -s /smack/tmp /tmp
>
> > 1. Create /moldy at "_"
On Wed, Oct 03, 2007 at 03:23:15PM -0700, Casey Schaufler wrote:
> 1. Create /moldy at "_"
> 2. For each label you care about
>2a. Create /moldy/
>2b. Set the label of /moldy/ to
> 3. ln -s /smack/tmp /tmp
> 1. Create /moldy at "_"
> 2. For each label you care about
>2a. Create
--- Al Viro <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 03, 2007 at 12:51:08PM -0700, Casey Schaufler wrote:
> > > > Because you throw "simple" out the window when you require userland
> > > > assistance to perform this function.
> > >
> > > Any more than having /tmp replaced with a symlink?
> >
--- Alan Cox <[EMAIL PROTECTED]> wrote:
> > An embedded system that does not have user logins but that does
> > have applications that require separation, perhaps a moble communication
> > device with application download capability, is just one example
> > where the smack symlink implementation
On Wed, Oct 03, 2007 at 12:51:08PM -0700, Casey Schaufler wrote:
> > > Because you throw "simple" out the window when you require userland
> > > assistance to perform this function.
> >
> > Any more than having /tmp replaced with a symlink?
>
> Yes. By the way, there's nothing that really
> An embedded system that does not have user logins but that does
> have applications that require separation, perhaps a moble communication
> device with application download capability, is just one example
> where the smack symlink implementation provides the required
> function without
--- Alan Cox <[EMAIL PROTECTED]> wrote:
> > Absolute paths in that kind of thing are _wrong_. You know where the
> things
> > are on your fs. You don't know if anything else will be visible, let alone
> > whether it will be at the same place in all chroots or namespaces. And no,
> > you
--- Al Viro <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote:
> > > what
> > > happens if we want it in two chroot jails with different layouts?
> >
> > As you can only have /smack mounted once, this isn't an issue,
> > but it does present an
On Wed, Oct 03, 2007 at 07:17:35PM +0100, Alan Cox wrote:
> > Absolute paths in that kind of thing are _wrong_. You know where the things
> > are on your fs. You don't know if anything else will be visible, let alone
> > whether it will be at the same place in all chroots or namespaces. And no,
> Absolute paths in that kind of thing are _wrong_. You know where the things
> are on your fs. You don't know if anything else will be visible, let alone
> whether it will be at the same place in all chroots or namespaces. And no,
> you _can't_ make sure that fs is visible only in one place.
On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote:
> > what
> > happens if we want it in two chroot jails with different layouts?
>
> As you can only have /smack mounted once, this isn't an issue,
> but it does present an interesting use case that brings the one
> mount limitation
--- Al Viro <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote:
> >
> > From: Casey Schaufler <[EMAIL PROTECTED]>
> >
> > Smack is the Simplified Mandatory Access Control Kernel.
> >
> > Smack implements mandatory access control (MAC) using labels
> >
On Wednesday 03 October 2007 12:45:42 am Casey Schaufler wrote:
> From: Casey Schaufler <[EMAIL PROTECTED]>
>
> Smack is the Simplified Mandatory Access Control Kernel.
>
> Smack implements mandatory access control (MAC) using labels
> attached to tasks and data containers, including files, SVIPC,
On Wednesday 03 October 2007 12:45:42 am Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
Smack is the Simplified Mandatory Access Control Kernel.
Smack implements mandatory access control (MAC) using labels
attached to tasks and data containers, including files, SVIPC,
and
--- Al Viro [EMAIL PROTECTED] wrote:
On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
Smack is the Simplified Mandatory Access Control Kernel.
Smack implements mandatory access control (MAC) using labels
attached to tasks
On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote:
what
happens if we want it in two chroot jails with different layouts?
As you can only have /smack mounted once, this isn't an issue,
but it does present an interesting use case that brings the one
mount limitation into
Absolute paths in that kind of thing are _wrong_. You know where the things
are on your fs. You don't know if anything else will be visible, let alone
whether it will be at the same place in all chroots or namespaces. And no,
you _can't_ make sure that fs is visible only in one place. No
On Wed, Oct 03, 2007 at 07:17:35PM +0100, Alan Cox wrote:
Absolute paths in that kind of thing are _wrong_. You know where the things
are on your fs. You don't know if anything else will be visible, let alone
whether it will be at the same place in all chroots or namespaces. And no,
you
--- Al Viro [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote:
what
happens if we want it in two chroot jails with different layouts?
As you can only have /smack mounted once, this isn't an issue,
but it does present an interesting use case
--- Alan Cox [EMAIL PROTECTED] wrote:
Absolute paths in that kind of thing are _wrong_. You know where the
things
are on your fs. You don't know if anything else will be visible, let alone
whether it will be at the same place in all chroots or namespaces. And no,
you _can't_ make
An embedded system that does not have user logins but that does
have applications that require separation, perhaps a moble communication
device with application download capability, is just one example
where the smack symlink implementation provides the required
function without requiring
On Wed, Oct 03, 2007 at 12:51:08PM -0700, Casey Schaufler wrote:
Because you throw simple out the window when you require userland
assistance to perform this function.
Any more than having /tmp replaced with a symlink?
Yes. By the way, there's nothing that really requires that you
--- Alan Cox [EMAIL PROTECTED] wrote:
An embedded system that does not have user logins but that does
have applications that require separation, perhaps a moble communication
device with application download capability, is just one example
where the smack symlink implementation provides
--- Al Viro [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 12:51:08PM -0700, Casey Schaufler wrote:
Because you throw simple out the window when you require userland
assistance to perform this function.
Any more than having /tmp replaced with a symlink?
Yes. By the way,
On Wed, Oct 03, 2007 at 03:23:15PM -0700, Casey Schaufler wrote:
1. Create /moldy at _
2. For each label you care about
2a. Create /moldy/label
2b. Set the label of /moldy/label to label
3. ln -s /smack/tmp /tmp
1. Create /moldy at _
2. For each label you care about
2a. Create
--- Al Viro [EMAIL PROTECTED] wrote:
On Wed, Oct 03, 2007 at 03:23:15PM -0700, Casey Schaufler wrote:
1. Create /moldy at _
2. For each label you care about
2a. Create /moldy/label
2b. Set the label of /moldy/label to label
3. ln -s /smack/tmp /tmp
1. Create /moldy at _
2.
On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote:
>
> From: Casey Schaufler <[EMAIL PROTECTED]>
>
> Smack is the Simplified Mandatory Access Control Kernel.
>
> Smack implements mandatory access control (MAC) using labels
> attached to tasks and data containers, including files,
On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote:
From: Casey Schaufler [EMAIL PROTECTED]
Smack is the Simplified Mandatory Access Control Kernel.
Smack implements mandatory access control (MAC) using labels
attached to tasks and data containers, including files, SVIPC,
28 matches
Mail list logo