Sun is also positive about David's proposal although we currently don't depend on it.
Labeled NFS services are currently provided by Solaris Trusted Extensions, without relying on NFS protocol extensions. Instead, Trusted Extensions uses the labels of the network endpoints to determine the labels of the underlying clients and servers. When acting as an NFS server, Trusted Extensions sends packets at the same label as the underlying exported filesystem. These endpoint labels are then implicitly used to enforce mount policy restrictions by the NFS client and server code in the kernel. A restriction of this implementation is that all files in a NFS mounted filesystem must have the same label. In order for Solaris to support per-file labeling we will need NFS protocol extensions similar to what David has proposed. --Glenn Peter Staubach wrote: > Spencer Shepler wrote: >> >> As David suggests, the NFSv4 working group is positive about this >> work but until now, the show of specific interest within the NFSv4 >> working group >> has been very minimal. If this work is to be added to the working >> group's >> charter, there must be a show of interest. This can be as simple as an >> email to the nfsv4 at ietf.org alias stating interest and brief description >> of need/use. This will demonstrate to the area director that work is >> occurring and it is worthwhile to have the NFSv4 WG undertake the >> work. >> >> So, please speak up, join the nfsv4 WG alias and participate as >> interest and need declares. > > I will start, I guess. > > We, Red Hat, are looking at this work as enabling some fundamental > technologies for our virtual offerings. We need the ability to > run SELinux over NFS mounted file systems and the current NFSv4[.1] > support is not sufficient to do it. > > Thanx... > > ps > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to > majordomo at tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message.
