On Mon, 2012-05-21 at 15:50 +0400, zyxel wrote: > Hello. > I have another question about labeled nfs. > > If both client and server have are patched to support labeled NFS and > if on the client side policy is set to permissive and on server side > policy is set to enforcing, > we can access files on the server from the client without any > restrictions. > Is it correct behaviour? I believe so, as the LNFS implementation only deals with object labeling support for NFSv4. Conveying the client process security label to the server (so that the server can enforce per-process access controls) would be provided by another mechanism such as RPCSEC_GSSv3. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
