IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Bruce Fields <bfields@fieldses.org> Thu, 03 May 2018 23:59 UTC

Return-Path: <bfields@fieldses.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC944127058 for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 16:59:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOggxC7JK5aO for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 16:59:33 -0700 (PDT)
Received: from fieldses.org (fieldses.org [173.255.197.46]) by ietfa.amsl.com (Postfix) with ESMTP id C2C461270B4 for <nfsv4@ietf.org>; Thu, 3 May 2018 16:59:33 -0700 (PDT)
Received: by fieldses.org (Postfix, from userid 2815) id 44FDD492; Thu, 3 May 2018 19:59:03 -0400 (EDT)
Date: Thu, 03 May 2018 19:59:03 -0400
From: Bruce Fields <bfields@fieldses.org>
To: "Quigley, David" <david.quigley@intel.com>
Cc: Tom Haynes <loghyr@gmail.com>, Chuck Lever <chuck.lever@oracle.com>, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <20180503235903.GD27964@fieldses.org>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <20180503151332.GC14163@fieldses.org> <C15E3AF6-806C-468F-B3F8-ACF9EF26BA15@gmail.com> <20180503154659.GD14163@fieldses.org> <106AF901BBB25B4082BCE4FEC2F79D440627D0B1@ORSMSX108.amr.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <106AF901BBB25B4082BCE4FEC2F79D440627D0B1@ORSMSX108.amr.corp.intel.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/mTsqQFY-kUf3RVK5NwGXd5dTmSI>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 23:59:36 -0000

On Thu, May 03, 2018 at 09:58:30PM +0000, Quigley, David wrote:
> >From an implementation standpoint I don't think this is an issue
> >because what it means currently is the MAC on both the client and
> >server have to match. In the future this could be changed so an
> >intermediate daemon handles the label and policy translation. Ideally
> >an SELinux enabled server could receive a request from a Trusted
> >Solaris (I think its trusted extensions now) and be able to retain
> >the MLS portion of the label and just assign an arbitrary SELinux
> >label. This wasn't implemented or attempted as Linux is the only
> >Labeled NFS implementation at the moment but that was the intent.

Unfortunately the selinux folks don't seem to expect it to work well
even between different versions of RHEL, and that doesn't seem to be a
problem the LFS field can solve:

	https://bugzilla.redhat.com/show_bug.cgi?id=1406885#c14

I'm a little disappointed by that.  Maybe I have the wrong expectations.

--b.

v2.23.0 | Report a Bug | By Email