I'm not going to switch between a SELinux "module" and a non-SELinux
"module" or vice versa without relabeling the filesystem to an
appropriate initial state of security labels that is meaningful to the
"module" I want to use. I also wouldn't be performing such switching at
all on any real systems.
> Either we should guarantee that modules only touch attributes they know
> about---ignoring all others (but not overwriting them), or we have separate
> namespaces for each module's attributes.
A security module can sanity check the first few bytes of the attribute
value if it desires, and handle a mismatch as it desires. That is a
policy issue and up to the module writer.
You also need to consider the implications for userspace of using a
separate attribute name for each security module. Do you really want to
maintain your own patches for all of the utilities to let users get and
set file security labels using your attribute name? Note that we can
add or remove security attributes to/from the SELinux security context
without requiring changes to our patches for the utilities; the utility
patches don't have to be tied to a specific security model.
-- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/