From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chuck Lever Subject: Re: [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS Date: Wed, 07 Jul 2010 13:53:57 -0400 Message-ID: <4C34BF35.4060802@oracle.com> References: <1278513086-23964-1-git-send-email-dpquigl@tycho.nsa.gov> <1278513086-23964-6-git-send-email-dpquigl@tycho.nsa.gov> <20100707165602.GC28815@fieldses.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: "David P. Quigley" , hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org, casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org, sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, matthew.dodd-DABiIiYg7OfQT0dZR+AlfA@public.gmane.org, trond.myklebust-41N18TsMXrtuMpJDpNschA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: "J. Bruce Fields" Return-path: In-Reply-To: <20100707165602.GC28815-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org> Sender: linux-nfs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org On 07/ 7/10 12:56 PM, J. Bruce Fields wrote: > On Wed, Jul 07, 2010 at 10:31:21AM -0400, David P. Quigley wrote: >> This patch adds two entries into the fs/KConfig file. The first entry >> NFS_V4_SECURITY_LABEL enables security label support for the NFSv4 client while >> the second entry NFSD_V4_SECURITY_LABEL enables security labeling support on >> the server side. > > Will there also be some way to turn these on and off at run-time (maybe > for particular exports or filesystems?) > > And if so, will there be any reason not to have this on all the time? I > don't think we'll want a config option for every future possible NFSv4.x > feature. I would guess that the ability to build without this feature would be desirable if it added significant bulk to the object code. If it doesn't, then I agree with you that having it adds unneeded clutter to the code, and additional complexity to kernel configuration that most people will ignore and/or get wrong. >> >> Signed-off-by: Matthew N. Dodd >> Signed-off-by: David P. Quigley >> --- >> fs/nfs/Kconfig | 16 ++++++++++++++++ >> fs/nfsd/Kconfig | 13 +++++++++++++ >> 2 files changed, 29 insertions(+), 0 deletions(-) >> >> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig >> index a43d07e..67b158c 100644 >> --- a/fs/nfs/Kconfig >> +++ b/fs/nfs/Kconfig >> @@ -83,6 +83,22 @@ config NFS_V4_1 >> >> Unless you're an NFS developer, say N. >> >> +config NFS_V4_SECURITY_LABEL >> + bool "Provide Security Label support for NFSv4 client" >> + depends on NFS_V4&& SECURITY >> + help >> + >> + Say Y here if you want enable fine-grained security label attribute >> + support for NFS version 4. Security labels allow security modules like >> + SELinux and Smack to label files to facilitate enforcement of their policies. >> + Without this an NFSv4 mount will have the same label on each file. >> + >> + If you do not wish to enable fine-grained security labels SELinux or >> + Smack policies on NFSv4 files, say N. >> + >> + >> + If unsure, say N. >> + >> config ROOT_NFS >> bool "Root file system on NFS" >> depends on NFS_FS=y&& IP_PNP >> diff --git a/fs/nfsd/Kconfig b/fs/nfsd/Kconfig >> index 503b9da..3a282f8 100644 >> --- a/fs/nfsd/Kconfig >> +++ b/fs/nfsd/Kconfig >> @@ -79,3 +79,16 @@ config NFSD_V4 >> available from http://linux-nfs.org/. >> >> If unsure, say N. >> + >> +config NFSD_V4_SECURITY_LABEL >> + bool "Provide Security Label support for NFSv4 server" >> + depends on NFSD_V4&& SECURITY >> + help >> + >> + Say Y here if you want enable fine-grained security label attribute >> + support for NFS version 4. Security labels allow security modules like >> + SELinux and Smack to label files to facilitate enforcement of their policies. >> + Without this an NFSv4 mount will have the same label on each file. >> + >> + If you do not wish to enable fine-grained security labels SELinux or >> + Smack policies on NFSv4 files, say N. >> -- >> 1.6.2.5 >> > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html