On 11/20/2012 9:52 PM, Casey Schaufler wrote:
On 11/20/2012 4:37 PM, Dave Quigley wrote:
...
Or I could just give you this link and you should be good to go ;)
http://www.selinuxproject.org/~dpquigl/nfs-utils-rpms/
I haven't tried it but it should work. If it doesn't let me know and
i'll try to fix it on my end. I'd imagine you might need to yum remove
nfs-utils first before adding this new one or you could also try an
rpm with the upgrade flag for this instead. Good luck.
I don't care what Eric says, you're OK with me.
The behavior is interesting with a Smack kernel:
I create an export using the recommended options (sec=unix,security_label, ...)
of /pub. Then , I create a directory sub with the floor ("_") label and a file
named Pop labeled "Pop". I mount the filesystem at /mnt.
# ls -l /mnt
ls: cannot access /mnt/Pop: Permission Denied
total 4
?????????? ? ? ? ? ? Pop
drwxr-xr-x 2 root root 4096 Nov 20 17:57 sub
which is exactly correct!
Unfortunately, I get the exact same result if the process
is run with the Pop label. A process run with the Pop label
should be able to see the attributes of the file Pop.
It looks as if the basic mechanism is working, but that there
is some detail that is not working right. I will have to dig
deeper to understand what's up. Let me know if you have ideas.
Dave
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
You might want to load up wireshark and see if the getfattr call is what
is failing. If it is then its an issue with the interaction between
smack and the server components. Otherwise I'm not sure you'll have to
look in the NFS debug info to find the call that is failing. ]
Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
