Moldy MAC labels under TRIX, VFS layering issues with MAC.
Casey Schaufler
casey at sgi.com
Thu Aug 24 00:26:06 GMT 2000
Robert Watson wrote:
>
> I was glancing through the MAC implementation on the oss.sgi.com site this
> evening, and keep coming across the term "moldy", and was wondering what
> that referred to :-).
Multi Label Directories (MLD - say moldy) as you use for /tmp
> I also observed that the MAC checks in TRIX seem to occur at the syscall
> layer, rather than in the VFS itself.
Each file system type provides the mechanism to store and
retrieve MAC labels, but the lookup and syscall code enforces
policy.
> I've been thinking a bit about
> interactions between a VFS and new MAC checks -- in BSD, the access checks
> for vnode operations generally occur within the file system
> implementation, rather than above the VFS in the syscall implementation.
Sometimes the policy is syscall specific.
--
Casey Schaufler Manager, Trust Technology, SGI
casey at sgi.com voice: 650.933.1634
casey_p at pager.sgi.com Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list