Colleagues,
I have patched a kernel with XFS 1.0 and the Rule-Set Based Access
Controls (www.rsbac.org). This is of particular importance to me for
using Linux to power medical record repositories, requiring data
integrity (journaled fs), performance, and security (mandatory access
controls, role compatibility, ACLs, etc.)
The system seems to run fine even using RSBAC's 'check on init'
function. This function caused problems with ReiserFS as ReiserFS works
internally with 64 bit inode numbers, and RSBAC was removing entries for
inode, which was making ReiserFS complain. Now my impression is that XFS
uses 64 bit inodes, but somehow this is more compatible than the
ReiserFS usage because I am not getting the same errors. Does XFS use 64
bit inodes? Anyone care to comment?
Finally, there is one part of the patch in RSBAC that is still FS
dependent, a secure delete function that patches the fs/ext2/namei.c
(for example) in ext2 by adding the following to ext2_unlink():
if(inode->i_nlink == 1)
rsbac_sec_del(dentry);
Now they have only implemented this into ext2, vfat, dos, and minix
fs's, but would be nice for XFS integration as well. Where would such a
patch work, or does XFS have an interface for this?
Anyone with further interest in both XFS and the RSBAC patches is
welcome to cross post to the rsbac@xxxxxxxxx mailing list.
Thanks in advance, and congratulations on creating an excellent product
in XFS and supporting open source software!
Regards,
Mitchell
________________________________________________________________________
K. Mitchell Russell, M.D. | kmrussel@xxxxxxxxxxx
Research Fellow, MedITAC Research Lab | www.meditac.com
|