The SELinux NFS code was never submitted upstream since NFSv4 was coming and it wouldn't make sense to have v3 support SELinux, but not v4. It also seemed like it would be easier to get upstream support with NFSv4 using named attributes to pass file contexts and a SELinux specific rpcsec_gss security flavor to pass the client process's context then with NFSv3 using non-standard extensions. The NFSv4 named attributes are still not implemented on Linux although there has been talk about them over the last month on the NFSv4 mailing list. Support is just being added to allow specifying a security flavor for each export. If you are interested, here is the talk I gave at last year's SELinux Symposium: http://www.selinux-symposium.org/2005/presentations/session2/2-4-carter.pdf The NFSv3 code (for 2.6.11) is still available in the historical section of the download page: http://www.nsa.gov/selinux/code/download1.cfm Jim On Thu, 2006-01-19 at 14:48 -0500, James Morris wrote: > On Thu, 19 Jan 2006, Rudi Chiarito wrote: > > > On Thu, Jan 19, 2006 at 10:56:53AM -0500, James Morris wrote: > > > "Getting Started with Multi-Category Security (MCS)" > > > http://james-morris.livejournal.com/8228.html > > > Feedback, suggestions etc. welcome. > > > > My burning question would be: is any of that supported by any of the > > network filesystems yet? If not, who might get there first? > > NFS support is some way off. For NFSv4, the protocol needs to be modified > to include support for Linux/BSD xattrs, as the named attributes in the > spec are designed for Solaris xattrs, which are really subfiles. > > I'm not sure if the old NFSv3 code from the NSA would be acceptable > upstream as it's non-standard, although I'm not sure if anyone has really > looked into this issue with upstream folk. > > Adding MCS support to Samba, however, seems potentially simpler, in that > the server runs in userspace, and that the protocol may not need to be > modified (for just MCS). > > > - James -- James Carter <jwcart2@xxxxxxxxxxxxxx> National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
