F20 System Wide Change: Enable SELinux Labeled NFS Support
Dave Quigley
selinux at davequigley.com
Sun Jul 28 05:40:16 UTC 2013
On 7/26/2013 6:55 AM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/25/2013 06:45 PM, James Hogarth wrote:
>>
>> On 25 Jul 2013 19:55, "Daniel J Walsh" <dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com>> wrote:
>>
>>> <snip>
>>
>> The only provisos/additions I could suggest on the above then is to make
>> it clear in the release notes that server and client should be matching for
>> any additional fcontext rules to eliminate any server/client relabel
>> discrepancies.
>>
>> In addition rather than defaulting to the file_t context might I suggest
>> using the current/standard nfs_t context for unknown labels (unless
>> overridden by mount options of course)?
>>
>>
>>
> I am not sure we can do this. Eric do you know of a way to do something like this?
I don't believe this is possible with our current implementation. I'd
need to look again. The caveat for this operating mode in the IETF
specification we wrote is the the policies are homogenous in this
environment. The server is not really label aware. Its mostly supposed
to be simple attribute storage. In our case here it is aware however
because we don't currently have any policy translation infrastructure it
is supposed to be a homogenous environment.
Dave
More information about the devel
mailing list