| Message ID | 1368719808-14584-14-git-send-email-SteveD@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote: > From: Steve Dickson <steved@redhat.com> > > This patch adds the NFS_V4_SECURITY_LABEL entry which > enables security label support for the NFSv4 client > > Signed-off-by: Steve Dickson <steved@redhat.com> > --- > fs/nfs/Kconfig | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig > index 79c500e..771831d3 100644 > --- a/fs/nfs/Kconfig > +++ b/fs/nfs/Kconfig > @@ -107,6 +107,7 @@ config NFS_V4_1 > config NFS_V4_2 > bool "NFS client support for NFSv4.2" > depends on NFS_V4_1 > + select NFS_V4_SECURITY_LABEL So this will force it on... > help > This option enables support for minor version 1 of the NFSv4 protocol > in the kernel's NFS client. > @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN > If the NFS client is unchanged from the upstream kernel, this > option should be set to the default "kernel.org". > > +config NFS_V4_SECURITY_LABEL > + bool "Provide Security Label support for NFSv4 client" > + depends on NFS_V4 && SECURITY Even if SECURITY is not set? Why are you forcing this on with a select? select is dangerous.. > + help > + > + Say Y here if you want enable fine-grained security label attribute > + support for NFS version 4. Security labels allow security modules like > + SELinux and Smack to label files to facilitate enforcement of their policies. > + Without this an NFSv4 mount will have the same label on each file. > + > + If you do not wish to enable fine-grained security labels SELinux or > + Smack policies on NFSv4 files, say N. > + > + WARNING: there is still a chance of backwards-incompatible protocol changes. > + For now we recommend "Y" only for developers and testers." > + > + If unsure, say N. > + > config ROOT_NFS > bool "Root file system on NFS" > depends on NFS_FS=y && IP_PNP > -- > 1.8.1.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 2013-05-20 at 16:57 -0400, Eric Paris wrote: > On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote: > > From: Steve Dickson <steved@redhat.com> > > > > This patch adds the NFS_V4_SECURITY_LABEL entry which > > enables security label support for the NFSv4 client > > > > Signed-off-by: Steve Dickson <steved@redhat.com> > > --- > > fs/nfs/Kconfig | 19 +++++++++++++++++++ > > 1 file changed, 19 insertions(+) > > > > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig > > index 79c500e..771831d3 100644 > > --- a/fs/nfs/Kconfig > > +++ b/fs/nfs/Kconfig > > @@ -107,6 +107,7 @@ config NFS_V4_1 > > config NFS_V4_2 > > bool "NFS client support for NFSv4.2" > > depends on NFS_V4_1 > > + select NFS_V4_SECURITY_LABEL > > So this will force it on... > > > help > > This option enables support for minor version 1 of the NFSv4 protocol > > in the kernel's NFS client. > > @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN > > If the NFS client is unchanged from the upstream kernel, this > > option should be set to the default "kernel.org". > > > > +config NFS_V4_SECURITY_LABEL > > + bool "Provide Security Label support for NFSv4 client" > > + depends on NFS_V4 && SECURITY > > Even if SECURITY is not set? > > Why are you forcing this on with a select? select is dangerous.. Eric is right. In any case, we already agreed that we don't need _both_ a NFSv4.2 and a NFSv4 security label switch. Please just get rid of NFS_V4_SECURITY_LABEL.
On Mon, 2013-05-20 at 17:12 -0400, Trond Myklebust wrote: > On Mon, 2013-05-20 at 16:57 -0400, Eric Paris wrote: > > On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote: > > > From: Steve Dickson <steved@redhat.com> > > > > > > This patch adds the NFS_V4_SECURITY_LABEL entry which > > > enables security label support for the NFSv4 client > > > > > > Signed-off-by: Steve Dickson <steved@redhat.com> > > > --- > > > fs/nfs/Kconfig | 19 +++++++++++++++++++ > > > 1 file changed, 19 insertions(+) > > > > > > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig > > > index 79c500e..771831d3 100644 > > > --- a/fs/nfs/Kconfig > > > +++ b/fs/nfs/Kconfig > > > @@ -107,6 +107,7 @@ config NFS_V4_1 > > > config NFS_V4_2 > > > bool "NFS client support for NFSv4.2" > > > depends on NFS_V4_1 > > > + select NFS_V4_SECURITY_LABEL > > > > So this will force it on... > > > > > help > > > This option enables support for minor version 1 of the NFSv4 protocol > > > in the kernel's NFS client. > > > @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN > > > If the NFS client is unchanged from the upstream kernel, this > > > option should be set to the default "kernel.org". > > > > > > +config NFS_V4_SECURITY_LABEL > > > + bool "Provide Security Label support for NFSv4 client" > > > + depends on NFS_V4 && SECURITY > > > > Even if SECURITY is not set? > > > > Why are you forcing this on with a select? select is dangerous.. > > Eric is right. In any case, we already agreed that we don't need _both_ > a NFSv4.2 and a NFSv4 security label switch. > > Please just get rid of NFS_V4_SECURITY_LABEL. > Sorry. I mean, just replace it with config NFS_V4_SECURITY_LABEL bool depend on NFS_V4_2 && SECURITY default Y
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig index 79c500e..771831d3 100644 --- a/fs/nfs/Kconfig +++ b/fs/nfs/Kconfig @@ -107,6 +107,7 @@ config NFS_V4_1 config NFS_V4_2 bool "NFS client support for NFSv4.2" depends on NFS_V4_1 + select NFS_V4_SECURITY_LABEL help This option enables support for minor version 1 of the NFSv4 protocol in the kernel's NFS client. @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN If the NFS client is unchanged from the upstream kernel, this option should be set to the default "kernel.org". +config NFS_V4_SECURITY_LABEL + bool "Provide Security Label support for NFSv4 client" + depends on NFS_V4 && SECURITY + help + + Say Y here if you want enable fine-grained security label attribute + support for NFS version 4. Security labels allow security modules like + SELinux and Smack to label files to facilitate enforcement of their policies. + Without this an NFSv4 mount will have the same label on each file. + + If you do not wish to enable fine-grained security labels SELinux or + Smack policies on NFSv4 files, say N. + + WARNING: there is still a chance of backwards-incompatible protocol changes. + For now we recommend "Y" only for developers and testers." + + If unsure, say N. + config ROOT_NFS bool "Root file system on NFS" depends on NFS_FS=y && IP_PNP