MCS article
James Carter
jwcart2 at epoch.ncsc.mil
Fri Jan 20 13:53:56 UTC 2006
The SELinux NFS code was never submitted upstream since NFSv4 was coming
and it wouldn't make sense to have v3 support SELinux, but not v4. It
also seemed like it would be easier to get upstream support with NFSv4
using named attributes to pass file contexts and a SELinux specific
rpcsec_gss security flavor to pass the client process's context then
with NFSv3 using non-standard extensions.
The NFSv4 named attributes are still not implemented on Linux although
there has been talk about them over the last month on the NFSv4 mailing
list. Support is just being added to allow specifying a security flavor
for each export.
If you are interested, here is the talk I gave at last year's SELinux
Symposium:
http://www.selinux-symposium.org/2005/presentations/session2/2-4-carter.pdf
The NFSv3 code (for 2.6.11) is still available in the historical section
of the download page:
http://www.nsa.gov/selinux/code/download1.cfm
Jim
On Thu, 2006-01-19 at 14:48 -0500, James Morris wrote:
> On Thu, 19 Jan 2006, Rudi Chiarito wrote:
>
> > On Thu, Jan 19, 2006 at 10:56:53AM -0500, James Morris wrote:
> > > "Getting Started with Multi-Category Security (MCS)"
> > > http://james-morris.livejournal.com/8228.html
> > > Feedback, suggestions etc. welcome.
> >
> > My burning question would be: is any of that supported by any of the
> > network filesystems yet? If not, who might get there first?
>
> NFS support is some way off. For NFSv4, the protocol needs to be modified
> to include support for Linux/BSD xattrs, as the named attributes in the
> spec are designed for Solaris xattrs, which are really subfiles.
>
> I'm not sure if the old NFSv3 code from the NSA would be acceptable
> upstream as it's non-standard, although I'm not sure if anyone has really
> looked into this issue with upstream folk.
>
> Adding MCS support to Samba, however, seems potentially simpler, in that
> the server runs in userspace, and that the protocol may not need to be
> modified (for just MCS).
>
>
> - James
--
James Carter <jwcart2 at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list