F20 System Wide Change: Enable SELinux Labeled NFS Support
Daniel P. Berrange
berrange at redhat.com
Thu Jul 25 11:17:45 UTC 2013
On Thu, Jul 25, 2013 at 01:11:01PM +0200, Jaroslav Reznik wrote:
> = Proposed System Wide Change: Enable SELinux Labeled NFS Support =
> https://fedoraproject.org/wiki/Changes/LabeledNFS
>
> Change owner(s): Daniel Walsh <dwalsh at redhat.com>, Steve Dickson
> <steved at redhat.com>
>
> The Linux Kernel has grown support for passing SELinux labels between a client
> and server using NFS.
>
> == Detailed description ==
> We have always needed to treat NFS mounts with a single label usually
> something like nfs_t. Or at best allow an administrator to override the
> default with a label using the mount --context option. With this change we
> have lots of different Labels supported on an NFS share.
>
> == Scope ==
> Proposal owners:
> * Steve Dickson needs to make sure nfs-utils works properly.
> * Dan Walsh needs to make sure selinux-policy works properly in all use cases.
>
> Other developers: Kernel
> * Turn on Labeled NFS in the Fedora Kernel, Fix any policy issues that arise
> because of this. I believe this is mainly a testing issue, and that the
> functionality is complete.
>
> Release engineering: N/A (No changes for Release Engineering)
> Policies and guidelines: N/A (not affected)
I think this feature needs to cover some app integration testing. For
example, one of the core use cases for NFS/SELinux support is to enable
sVirt to work for KVM guests with storage on NFS. So I think the feature
should include testing to validate that it is working with sVirt, as a
downstream user of the feature.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the devel
mailing list