[Labeled-nfs] Labeled RPC & NFS
Matthew N. Dodd
Matthew.Dodd at sparta.com
Thu Nov 29 12:51:27 EST 2007
Other patches have addressed file labels and NFSv4.
This set of patches provides the NFS server with the label of the
requesting client process. This allows the policy on the server to use
the actual client process label when computing an access decision.
fs/nfsd/auth.c:nfsd_setuser() performs security_setprocattr() when a
label is available from the client.
I've created a version of the 'AUTH_UNIX' RPC_AUTH which adds a text
encoded label.
SELinux must be running on both client and server.
May use any version of NFS.
The server must export the filesystem with 'sec=seclabel'.
The client must mount the filesystem with 'sec=seclabel'.
Operates independently of NFSv4 file labels.
Operation may be verified by observing the process label of the various
'nfsd' processes on the server change (ps xZ | grep nfsd)
Comments?
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nfs-utils.mdodd.20071129.patch
Url: http://linux-nfs.org/pipermail/labeled-nfs/attachments/20071129/04012594/attachment.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rpcauth-seclabel-mdodd-linux.2.6.24rc.20071129.patch
Url: http://linux-nfs.org/pipermail/labeled-nfs/attachments/20071129/04012594/attachment-0001.txt
More information about the Labeled-nfs
mailing list