On 04/02/2013 09:01, Vu, Joseph wrote:
Thank you David.
It is good that the community at least support some short term
solution.
Labeled NFS has been working hard to get the community acceptance.
Thanks.
-----Original Message-----
From: David Quigley [mailto:dpquigl@xxxxxxxxxxxxxxx]
Sent: Monday, April 01, 2013 10:55 AM
To: Vu, Joseph
Cc: Casey Schaufler; J. Bruce Fields; Steve Dickson; Trond Myklebust;
J. Bruce Fields; David P. Quigley; Linux NFS list; Linux Security
List; SELinux List
Subject: RE: [PATCH 13/14] NFSD: Server implementation of MAC
Labeling
On 04/01/2013 08:54, Vu, Joseph wrote:
What is a good, and working alternative for NFS in term of SE label?
There isn't any unless you want to start a labeled cifs project. We
looked at CIFS and NFSv4 back when I started this project and from
what we saw NFS had the more open community. There are other
solutions
but they are not ideal. I believe someone did SELinux labels on
network attached storage by treating the NAS as an iSCSI device. This
isn't ideal because it has concurrency issues. Someone proposed xattr
for
NFSv4/NFSv3 support and that was shot down as well (and for good
reason). I don't share Casey's skepticism about the long term
importance of NFS. I think with NFSv4 and all the work that has gone
into it we'll see NFS being important in Linux and enterprises for a
very long time to come.
I don't consider this a short term solution. Labeled NFS is a long term
solution with short term milestones that get us something working fairly
quickly and I mean fairly quickly in IETF terms (about 5 years). I don't
buy Casey's assessment that network file-system protocols are old school
and on the way out. A number of storage vendors are doing lots of real
work into new versions of NFS and CIFS and they are major technologies
in enterprise storage. To be honest I can't even figure out what sort of
"long term" solutions Casey is talking about. It looks like he strung
together a bunch a buzz words together into some vague ephemeral
concept. Typing his idea of future storage into Google doesn't really
come up with anything substantive either.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
