From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Matthew N. Dodd" <Matthew.Dodd@sparta.com>
Subject: Re: [Labeled-nfs] [RFC v3] Security Label Support for NFSv4
Date: Mon, 13 Oct 2008 22:15:57 -0400
Message-ID: <48F400DD.50905@sparta.com>
References: <1222707986-26606-1-git-send-email-dpquigl@tycho.nsa.gov> <alpine.LRH.1.10.0810141014580.26030@tundra.namei.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "David P. Quigley" <dpquigl@tycho.nsa.gov>,
	labeled-nfs@linux-nfs.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, viro@zeniv.linux.org.uk,
	selinux@tycho.nsa.gov
To: James Morris <jmorris@namei.org>
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <alpine.LRH.1.10.0810141014580.26030@tundra.namei.org>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

James Morris wrote:
> On Mon, 29 Sep 2008, David P. Quigley wrote:
> 
>> 	* New security flavor (auth_seclabel) to transport process label to
>> 	  server. This is a derivative of auth_unix so it does not support
>> 	  kerberos which has its own issues that need to be dealt with.
> 
> This is a problem, as discussed last year:
> 
> http://linux-nfs.org/pipermail/labeled-nfs/2007-November/000110.html
> 
> We can't require the use of a new auth flavor which is incompatible with 
> auth_gss.

auth_seclabel demonstrates the flavor independent changes required for 
any RPC layer process label transport.  A GSS solution is currently 
under discussion.