> On Nov 5, 2020, at 11:47 AM, Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > > Hi folks, > > I would like to know if somebody can comment on the following > regarding labeled NFS. > > RFC 7569 talks about Label formats and specifically lists that "0" is > a reserved value. > > Using labeled NFS with SElinux and looking at labels (in wireshark), > the selinux sends sends/sets label format as 0 (ie. this is a reserved > value according to the spec) > > So we have labelformat_spec4 set to 0 where the spec says this field > "The LFS and the Security Label Format Selection Registry are > described in detail in [RFC7569]". It's unlikely that "0" reserved > for Selinux and not explicitly specified there? > > 0 seems to be a good choice for using as a default label which the > RFC7862 vaguely talks about (though says nothing about the format for > a default label). > > I'm not aware if Selinux is supposed to follow a spec and therefore I > don't think it is obligated to follow the rules of RFC 7569. Anybody > can comment how labeled NFS label format and SElinux label format > choice are supposed to co-exist? > > Thank you. Hi Olga, The SELinux implementation of Labeled NFS is not spec compliant. There are two paths forward: 1) Fix the implementation to be spec compliant. 2) File an errata to RFC 7569 to allow 0 to be assigned to the SELinux implementation. The argument against 1) is that there are existing deployments of servers and clients which will be incompatible. Thanks, Tom
