Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-29 Thread Toshio Kuratomi
On Fri, Jul 26, 2013 at 06:54:16AM -0400, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/26/2013 03:40 AM, Florian Weimer wrote: > > On 07/25/2013 08:55 PM, Daniel J Walsh wrote: > > > >> Labels are applied based on the client rules. Which does bring up an > >

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-27 Thread Dave Quigley
On 7/28/2013 1:40 AM, Dave Quigley wrote: On 7/26/2013 6:55 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 06:45 PM, James Hogarth wrote: On 25 Jul 2013 19:55, "Daniel J Walsh" mailto:dwa...@redhat.com>> wrote: The only provisos/additions I could su

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-27 Thread Dave Quigley
On 7/26/2013 6:55 AM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 06:45 PM, James Hogarth wrote: On 25 Jul 2013 19:55, "Daniel J Walsh" mailto:dwa...@redhat.com>> wrote: The only provisos/additions I could suggest on the above then is to make it clear

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-26 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 06:45 PM, James Hogarth wrote: > > On 25 Jul 2013 19:55, "Daniel J Walsh" > wrote: > >> > > The only provisos/additions I could suggest on the above then is to make > it clear in the release notes that serve

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-26 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/26/2013 03:40 AM, Florian Weimer wrote: > On 07/25/2013 08:55 PM, Daniel J Walsh wrote: > >> Labels are applied based on the client rules. Which does bring up an >> interesting idea of what happens if the server initiates a relabel. > > Can w

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-26 Thread Florian Weimer
On 07/25/2013 08:55 PM, Daniel J Walsh wrote: Labels are applied based on the client rules. Which does bring up an interesting idea of what happens if the server initiates a relabel. Can we make sure that there's a good chance that the NFS exports reside under a tree that is not subject to r

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread James Hogarth
On 25 Jul 2013 19:55, "Daniel J Walsh" wrote: > The only provisos/additions I could suggest on the above then is to make it clear in the release notes that server and client should be matching for any additional fcontext rules to eliminate any server/client relabel discrepancies. In addition r

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 10:57 AM, James Hogarth wrote: > On 25 Jul 2013 14:36, "Daniel P. Berrange" > wrote: >>> Updated testing section on >>> >>> https://fedoraproject.org/wiki/Changes/LabeledNFS >> >> Feature looks good to me no

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread James Hogarth
On 25 Jul 2013 14:36, "Daniel P. Berrange" wrote: > > Updated testing section on > > > > https://fedoraproject.org/wiki/Changes/LabeledNFS > > Feature looks good to me now. > A few bits that come to immediate mind: Are the labels applied following the semanage fcontext rules from server or clien

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread Daniel P. Berrange
On Thu, Jul 25, 2013 at 08:48:24AM -0400, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/25/2013 07:17 AM, Daniel P. Berrange wrote: > > I think this feature needs to cover some app integration testing. For > > example, one of the core use cases for NFS/SELinux

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/25/2013 07:17 AM, Daniel P. Berrange wrote: > I think this feature needs to cover some app integration testing. For > example, one of the core use cases for NFS/SELinux support is to enable > sVirt to work for KVM guests with storage on NFS. So

Re: F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread Daniel P. Berrange
On Thu, Jul 25, 2013 at 01:11:01PM +0200, Jaroslav Reznik wrote: > = Proposed System Wide Change: Enable SELinux Labeled NFS Support = > https://fedoraproject.org/wiki/Changes/LabeledNFS > > Change owner(s): Daniel Walsh , Steve Dickson > > > The Linux Kernel has grown support for passing SELi

F20 System Wide Change: Enable SELinux Labeled NFS Support

2013-07-25 Thread Jaroslav Reznik
= Proposed System Wide Change: Enable SELinux Labeled NFS Support = https://fedoraproject.org/wiki/Changes/LabeledNFS Change owner(s): Daniel Walsh , Steve Dickson The Linux Kernel has grown support for passing SELinux labels between a client and server using NFS. == Detailed description ==