Difference between revisions of "Labeled NFS"

From SELinux Wiki
Jump to: navigation, search
(Made it so the file names are the links.)
(Reformatting/rewording of the page and added another mailing list.)
Line 9: Line 9:
 
As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.
 
As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.
  
== News ==
+
== Project News ==
  
 
None as of yet.
 
None as of yet.
Line 37: Line 37:
 
* [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:]  Patch to add mount support to nfs-tuils for Labeled-NFS support.
 
* [http://www.selinuxproject.org/~dpquigl/files/lnfs/nfs-utils.patch nfs-utils.patch:]  Patch to add mount support to nfs-tuils for Labeled-NFS support.
  
 +
== Specification Documents ==
  
== Resources ==
+
* [http://namei.org/lnfs/senfs-requirements-draft-06.txt SENFS Requirements Document:] Original requirements document for an SELinux specific version of Labeled NFS by James Morris.
  
* [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Mailing List]
+
* [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt MAC Security Label Requirements for NFSv4:] Internet Draft submitted to the IEFT on 30 April 2008.
  
* [http://namei.org/lnfs/senfs-requirements-draft-06.txt Requirements draft] (back when it was SELinux specific)
+
== Mailing Lists and Archives ==
  
* [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.
+
* [http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs Labeled NFS Mailing List:] Primary list for discussion about the Linux prototype of Labeled-NFS. This is a low volume list.
  
* [http://www.darkreading.com/document.asp?doc_id=148360&WT.svl=news2_2 "NSA Pushes ‘Labeled’ Access Control for NFS"] Dark Reading coverage.
+
* [https://www1.ietf.org/mailman/listinfo/nfsv4 IETF NFSv4 Working Group Mailing List:] Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.
 +
 
 +
== Presentations ==
  
 
* [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.
 
* [http://www.ietf.org/proceedings/08mar/slides/nfsv4-0.pdf IETF-71 Slides] Presentation by Dave Quigley.
Line 52: Line 55:
 
* [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).
 
* [http://www.ietf.org/mail-archive/web/nfsv4/current/msg05714.html MAC resources] Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).
  
* [http://www.ietf.org/internet-drafts/draft-quigley-nfsv4-sec-label-requirements-00.txt  MAC Security Label Requirements for NFSv4] Internet Draft submitted to the IEFT on 30 April 2008.
+
== News Articles ==
  
 +
* [http://www.gcn.com/online/vol1_no1/45944-1.html GCN coverage] Government Computer News on the project as Dave Q presents at IETF 71.
 +
 +
* [http://www.darkreading.com/document.asp?doc_id=148360&WT.svl=news2_2 "NSA Pushes ‘Labeled’ Access Control for NFS"] Dark Reading coverage.
  
 
<br />
 
<br />
[[Image:[[Media:Example.jpg]]]]
 

Revision as of 18:07, 7 July 2008

Introduction

Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within NFSv4

Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort.

At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.

Project News

None as of yet.

Getting the code

There are two ways to get the code for the prototype Labeled-NFS implementation. As active development ensues we will be updating a series of public git trees with patches for the work. These trees can be found at http://git.selinuxproject.org/git/. At the moment the latest code is not yet in the tree since we are addressing comments from LKML.

The three trees that pertain to the Labeled-NFS work are:

  • users/dpquigl/lnfs.git
  • users/dpquigl/libnfsdoimap.git
  • users/dpquigl/nfs-utils.git

To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for <tree>.

       git-clone git://git.selinuxproject.org/~dpquigl/<tree> 

The second option is to patch and build a kernel with a snapshot of the Labeled-NFS code. Once this code is updated to address the LKML comments and merged into the lnfs git tree these patches will become obsolete.

  • nfs-build.txt: Instructions for building a Linux 2.6 kernel with Labeled-NFS support and patching nfs-utils to support new mount options.
  • nfs-setup.txt: Instructions for setting up NFSv4 mounts and exports with label support.
  • nfs-label.patch: Patch with kernel modifications to add Labeled-NFS support.
  • nfs-utils.patch: Patch to add mount support to nfs-tuils for Labeled-NFS support.

Specification Documents

Mailing Lists and Archives

  • IETF NFSv4 Working Group Mailing List: Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.

Presentations

  • MAC resources Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).

News Articles

  • GCN coverage Government Computer News on the project as Dave Q presents at IETF 71.