Kernel Korner - Filesystem Labeling in SELinux
Although it is possible to assign security context labels to NFS mounted filesystems, they operate only locally for access control decisions within the kernel. No labels are transmitted across the network with files. Work has been advancing in this area, with SELinux-specific modifications being made to the NFSv2/v3 protocols and code. Further down the track, NFSv4 integration is expected to involve labeling over the wire by way of named attributes, which are part of the more extensible NFSv4 specification. This would allow both the NFS client and server to implement SELinux security for networked files. Support for other networked filesystems also would be useful, as would interoperability with Trusted BSD's SELinux port.
Backup and Restoration
One of the many tasks that change for system administrators using SELinux is backup and restoration. When creating an archive, how will the security context labels be preserved within the archive? The answer is to use the highly flexible star(1) utility, which has extended attribute support.
To manipulate archives with security context labels, use the xattr option. When creating archives, you also need to specify the exustar format. For example:
$ star -xattr -H=exustar -c -f cups-log.star /var/log/cups
creates an archive of the /var/log/cups directory, retaining security context labels on the files.
To extract, simply use the xattr option:
$ star -xattr -x -f cups-log.star $ ls -Z var/log/cups/ -rw-r--r--+ root sys system_u:object_r:cupsd_log_t error_log -rw-r--r--+ root sys system_u:object_r:cupsd_log_t error_log.1
As you can see, the security context labels have been preserved.
Resources for this article: /article/7689.
James Morris (firstname.lastname@example.org) is a kernel hacker from Sydney, Australia, currently working for Red Hat in Boston. He is a kernel maintainer of SELinux, Networking and the Crypto API; an LSM developer and an Emeritus Netfilter Core Team member.
|Preparing Data for Machine Learning||Apr 25, 2017|
|openHAB||Apr 24, 2017|
|Omesh Tickoo and Ravi Iyer's Making Sense of Sensors (Apress)||Apr 21, 2017|
|Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi||Apr 20, 2017|
|CodeLathe's Tonido Personal Cloud||Apr 19, 2017|
|Wrapping Up the Mars Lander||Apr 18, 2017|
- Video Art: Experimental Animation and Video Techniques in Linux
- Preparing Data for Machine Learning
- Understanding Firewalld in Multi-Zone Configurations
- Simple Server Hardening
- Teradici's Cloud Access Platform: "Plug & Play" Cloud for the Enterprise
- The Weather Outside Is Frightful (Or Is It?)
- From vs. to + for Microsoft and Linux
- Non-Linux FOSS: Control Web-Based Music!
- Bash Shell Script: Building a Better March Madness Bracket
- Server Technology's HDOT Alt-Phase Switched POPS PDU