[Labeled-nfs] Current development prototype patches.
David P. Quigley
dpquigl at tycho.nsa.gov
Mon Aug 6 09:48:07 EDT 2007
On Fri, 2007-08-03 at 16:33 -0400, Matthew N. Dodd wrote:
[snip...]
There is a small problem with doing file labeling in this manner. This
method works assuming that we only use dumb servers. However one of the
requirements is to have MAC enabled servers be part of the decision
process. In this case we need to send the process secid over to the
server most likely as part of the RPC. I know this is an initial
implementation however it is something we need to consider moving
forward so we don't shoot ourselves in the foot later.
> +/*
> + * For now, we need a way to compute a SID for
> + * a dentry as the inode is not yet available
> + * (and under NFSv4 has no label backed by an EA anyway.
> + */
> +static int selinux_dentry_init_security(struct dentry *dentry, int
> mode, u32 *sid)
More information about the Labeled-nfs
mailing list