MAC subsystem and ZFS?

[Borja Marcos]

On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:

> This is the expected behavior for a single-label file system -- that  
> is to say, a file system that doesn't support storing multiple  
> labels.  If EA support in ZFS is mature, it should be fairly  
> straight forward to implement multi-label support.  The following  
> changes were made to UFS/UFS2 to support per-file label storage:

Hmm. I see, I start to understand, but...

Suppose I have a system without any multilabel support enabled. Is it  
possible to assign a different MAC label than the default to a single  
filesystem?

For instance: Imagine I have everything with a default label of biba/ 
high and I want a biba/equal label just for /tmp, which is a different  
filesystem.

I've tried creating a policy file to be used with setfsmac but I am  
unable to change that default label.

Am I doing anything wrong? Or is multilabel support mandatory in order  
to assign a n label to a filesystem?

What I've been trying now (and without ZFS) is:

(without multi-label support enabled for any filesystems)

- mount a filesystem, say, into /filesystem

- it has the default biba/high(low-high),mls/low(low-high) label

- try to change the label for the filesystem.

setfmac newlabel /filesystem (fails)


create a policy.conf stating a label for the new filesystem

/filesystem	biba/equal,mls/equal

and trying to apply it
setfsmac -vxf policy.conf /filesystem (fails)
setfsmac -vxf policy.conf / (fails)

Doing anything wrong or it's just not possible to change the MAC label  
from the default for a whole filesystem without any multi-label  
support in the system?


Thank you very much again,





Borja.