As part of my work on LSM stacking I've encountered some issues with the Linux implementation of NFS4 security labels. For example, the LFS data is ignored, so even if the client and server are willing to identify the kind of information they are passing, the identity information isn't available. The code asks if attributes requested are mandatory access control attributes, but cannot differentiate between which of the possible security attribute the other end is providing. Is anyone actively owing the NFS labeling code? I'd like to bounce an idea or two around before committing too much time to my ideas of solutions.
