[Labeled-nfs] [PATCH 13/13] NFSD: Label change notification for NFSv4 Server
James Morris
jmorris at namei.org
Mon Nov 19 17:48:27 EST 2007
On Mon, 19 Nov 2007, Trond Myklebust wrote:
> This proposal, OTOH, will force the server to track all clients that
> access a labelled file, and to notify them all synchronously if ever a
> change is made. That can never scale if, say, you want to relabel the
> entire filesystem as SELinux appears wont to do.
There are further requirements for conveying volatile security state
between the peers, such as: the current security context of the client,
and the client's current explicit label for new files (if present).
A possible approach for dealing with all of these is to use a
per-procedure OP which is prefixed in a similar manner to SEQUENCE, when
security labeling is active. It may be possible to optimize this at the
server so that an updated file security label (or ineed the entire
security OP) is only sent if required.
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list