From: James Morris <jmorris@namei.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: Eric Paris <eparis@redhat.com>,
linux-nfs@vger.kernel.org, selinux <selinux@tycho.nsa.gov>,
linux-security-module@vger.kernel.org, steved@redhat.com,
jlayton@redhat.com, sds@tycho.nsa.gov, casey@schaufler-ca.com,
trond.myklebust@fys.uio.no, chuck.lever@oracle.com,
linux-fsdevel@vger.kernel.org
Subject: Re: NFS/LSM: allow NFS to control all of its own mount options
Date: Wed, 20 Feb 2008 11:25:45 +1100 (EST) [thread overview]
Message-ID: <Xine.LNX.4.64.0802201114030.2475@us.intercode.com.au> (raw)
In-Reply-To: <20080219222408.GB10656@infradead.org>
On Tue, 19 Feb 2008, Christoph Hellwig wrote:
> Please don't introduce a special case for just nfs. All filesystems
> should control their mount options, so please provide some library
> helpers for context= handling and move it into all filesystems that
> can support selinux.
It's not so much a special case for NFS, just that NFS happens to use
binary mount options. So, I guess it could be put into a library for
other potential filesystems with binary mount options.
To clarify:
The SELinux options are indeed filesystem independent, and the FS should
really not need to be concerned at all with them. For everything except
NFS, we parse text options looking for context=, then use that value from
within SELinux as the label for all files in the mount.
Previously, as Eric mentions, we were using a method initially approved by
the NFS folk, where, for NFS, SELinux was peeking around inside the binary
options. We were then asked to change that so that NFS (or other
binary-option FS) would obtain the values itself and call into LSM with
them. This is what Eric's latest patch enables (a previous patch
installed the infrastructure for it).
While this code could be put into a library if desired, there is no need
to make any changes for filesystems with text options (i.e. the general
case).
- James
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2008-02-20 0:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1203457094.2928.113.camel@localhost.localdomain>
[not found] ` <1203457094.2928.113.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-02-19 22:24 ` NFS/LSM: allow NFS to control all of its own mount options Christoph Hellwig
2008-02-19 22:36 ` Eric Paris
2008-02-19 23:18 ` Casey Schaufler
2008-02-20 0:25 ` James Morris [this message]
2008-02-20 13:48 ` Stephen Smalley
2008-02-20 10:08 ` Miklos Szeredi
2008-02-20 13:50 ` Stephen Smalley
[not found] ` <1203515410.9902.128.camel-/ugcdrsPCSfIm9DtXLC9OUVfdvkotuLY+aIohriVLy8@public.gmane.org>
2008-02-20 13:56 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Xine.LNX.4.64.0802201114030.2475@us.intercode.com.au \
--to=jmorris@namei.org \
--cc=casey@schaufler-ca.com \
--cc=chuck.lever@oracle.com \
--cc=eparis@redhat.com \
--cc=hch@infradead.org \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=steved@redhat.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).