Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRe: Updated Release
From: James Carter <jwcart2_at_epoch.ncsc.mil>
Date: 16 Mar 2004 08:16:02 -0500
The experimental SELinux NFS patch consists of both a kernel patch and userland patches. The userland patches include a patch to mount adding a selinuxnfs filesystem type, a xattr mount option, and a selinux mount option. There is also has a patch to exportfs to add a selinux export option. See the README in the nfs-usr archive for instructions.
The SELinux NFS patch modifies NFS v3 and the SELinux module. Some of
the modifications:
There are still the following limitations:
1. The client and server need to have essentially the same policy.
2. The client does not revalidate the security contexts for the NFS
inodes. If the security context on the server is changed or from
another client, it will not be reflected on the client. If the change
is made on the client, then the client and server will have the correct
context. I am currently working on a fix for this.
3. The fs create context is not currently passed to the server, so it
depends on the client to set the context after the fact, widening the
window where the file exists in the default type. I am also currently
working on a fix for this.
Note that this patch does not address the RPC socket creation issue encountered by Stephen Tweedie of Red Hat; addressing that also requires a separate patch for sock_create. -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 16 Mar 2004 - 08:16:10 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |