From: Chuck Lever <chuck.lever-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
Cc: "David P. Quigley"
<dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org,
casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org,
sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org,
matthew.dodd-DABiIiYg7OfQT0dZR+AlfA@public.gmane.org,
trond.myklebust-41N18TsMXrtuMpJDpNschA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org,
linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS
Date: Wed, 07 Jul 2010 13:53:57 -0400 [thread overview]
Message-ID: <4C34BF35.4060802@oracle.com> (raw)
In-Reply-To: <20100707165602.GC28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
On 07/ 7/10 12:56 PM, J. Bruce Fields wrote:
> On Wed, Jul 07, 2010 at 10:31:21AM -0400, David P. Quigley wrote:
>> This patch adds two entries into the fs/KConfig file. The first entry
>> NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while
>> the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on
>> the server side.
>
> Will there also be some way to turn these on and off at run-time (maybe
> for particular exports or filesystems?)
>
> And if so, will there be any reason not to have this on all the time? I
> don't think we'll want a config option for every future possible NFSv4.x
> feature.
I would guess that the ability to build without this feature would be
desirable if it added significant bulk to the object code. If it
doesn't, then I agree with you that having it adds unneeded clutter to
the code, and additional complexity to kernel configuration that most
people will ignore and/or get wrong.
>>
>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd-DABiIiYg7OfQT0dZR+AlfA@public.gmane.org>
>> Signed-off-by: David P. Quigley<dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
>> ---
>> fs/nfs/Kconfig | 16 ++++++++++++++++
>> fs/nfsd/Kconfig | 13 +++++++++++++
>> 2 files changed, 29 insertions(+), 0 deletions(-)
>>
>> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
>> index a43d07e..67b158c 100644
>> --- a/fs/nfs/Kconfig
>> +++ b/fs/nfs/Kconfig
>> @@ -83,6 +83,22 @@ config NFS_V4_1
>>
>> Unless you're an NFS developer, say N.
>>
>> +config NFS_V4_SECURITY_LABEL
>> + bool "Provide Security Label support for NFSv4 client"
>> + depends on NFS_V4&& SECURITY
>> + help
>> +
>> + Say Y here if you want enable fine-grained security label attribute
>> + support for NFS version 4. Security labels allow security modules like
>> + SELinux and Smack to label files to facilitate enforcement of their policies.
>> + Without this an NFSv4 mount will have the same label on each file.
>> +
>> + If you do not wish to enable fine-grained security labels SELinux or
>> + Smack policies on NFSv4 files, say N.
>> +
>> +
>> + If unsure, say N.
>> +
>> config ROOT_NFS
>> bool "Root file system on NFS"
>> depends on NFS_FS=y&& IP_PNP
>> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig
>> index 503b9da..3a282f8 100644
>> --- a/fs/nfsd/Kconfig
>> +++ b/fs/nfsd/Kconfig
>> @@ -79,3 +79,16 @@ config NFSD_V4
>> available from http://linux-nfs.org/.
>>
>> If unsure, say N.
>> +
>> +config NFSD_V4_SECURITY_LABEL
>> + bool "Provide Security Label support for NFSv4 server"
>> + depends on NFSD_V4&& SECURITY
>> + help
>> +
>> + Say Y here if you want enable fine-grained security label attribute
>> + support for NFS version 4. Security labels allow security modules like
>> + SELinux and Smack to label files to facilitate enforcement of their policies.
>> + Without this an NFSv4 mount will have the same label on each file.
>> +
>> + If you do not wish to enable fine-grained security labels SELinux or
>> + Smack policies on NFSv4 files, say N.
>> --
>> 1.6.2.5
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2010-07-07 17:53 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-07 14:31 Labeled-NFS: Security Label support in NFSv4 David P. Quigley
2010-07-07 14:31 ` [PATCH 01/10] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2010-07-08 12:51 ` Stephen Smalley
2010-07-07 14:31 ` [PATCH 02/10] Security: Add Hook to test if the particular xattr is part of a MAC model David P. Quigley
[not found] ` <1278513086-23964-3-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-07-07 16:49 ` J. Bruce Fields
2010-07-07 14:31 ` [PATCH 03/10] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David P. Quigley
2010-07-07 14:31 ` [PATCH 04/10] SELinux: Add new labeling type native labels David P. Quigley
2010-07-07 23:23 ` James Morris
2010-07-08 13:31 ` David P. Quigley
2010-07-08 22:33 ` James Morris
2010-07-09 14:09 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS David P. Quigley
[not found] ` <1278513086-23964-6-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-07-07 16:56 ` J. Bruce Fields
[not found] ` <20100707165602.GC28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2010-07-07 17:05 ` David P. Quigley
2010-07-07 17:53 ` Chuck Lever [this message]
2010-07-07 14:31 ` [PATCH 06/10] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2010-07-07 17:00 ` J. Bruce Fields
2010-07-07 23:30 ` James Morris
[not found] ` <alpine.LRH.2.00.1007080928180.14102-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-07-08 13:39 ` David P. Quigley
2010-07-08 22:48 ` James Morris
[not found] ` <alpine.LRH.2.00.1007090834190.23354-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-07-09 13:47 ` Stephen Smalley
2010-07-09 14:05 ` David P. Quigley
[not found] ` <1278684348.2494.223.camel-88+Bj4OksMGWPftkNcioYDMZycKHmlmlfvIqQ387n9k@public.gmane.org>
2010-07-11 5:02 ` Kyle Moffett
[not found] ` <AANLkTinUO-xqvQQINTzKLcXnljq-RaN5X6ulEAqvuf0d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-07-11 5:12 ` Casey Schaufler
2010-07-12 14:36 ` Stephen Smalley
[not found] ` <1278945396.5221.14.camel-i1KelmKhlFUEBZ0NE5PZeDSSxhlBfLG+Zkel5v8DVj8@public.gmane.org>
2010-07-17 0:09 ` Kyle Moffett
2010-07-07 14:31 ` [PATCH 07/10] NFSv4: Introduce new label structure David P. Quigley
2010-07-07 16:01 ` Chuck Lever
[not found] ` <4C34A4F1.3060708-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2010-07-07 16:21 ` Casey Schaufler
[not found] ` <4C34A9A2.4080308-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2010-07-07 16:24 ` David P. Quigley
2010-07-07 17:42 ` Chuck Lever
2010-07-07 16:22 ` David P. Quigley
2010-07-07 17:49 ` Chuck Lever
2010-07-07 18:11 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 08/10] NFS: Client implementation of Labeled-NFS David P. Quigley
2010-07-07 14:31 ` [PATCH 09/10] NFS: Extend NFS xattr handlers to accept the security namespace David P. Quigley
2010-07-07 14:31 ` [PATCH 10/10] NFSD: Server implementation of MAC Labeling David P. Quigley
2010-07-07 17:21 ` J. Bruce Fields
[not found] ` <20100707172100.GE28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2010-07-07 18:03 ` David P. Quigley
2010-07-07 19:24 ` J. Bruce Fields
2010-07-08 13:27 ` David P. Quigley
-- strict thread matches above, loose matches on Subject: below --
2010-06-08 16:22 Labeled-NFS: Security Label support in NFSv4 David P. Quigley
[not found] ` <1276014176-20315-1-git-send-email-dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2010-06-08 16:22 ` [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C34BF35.4060802@oracle.com \
--to=chuck.lever-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthew.dodd-DABiIiYg7OfQT0dZR+AlfA@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=trond.myklebust-41N18TsMXrtuMpJDpNschA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).