Labeled NFS

From SELinux Wiki
Revision as of 20:01, 26 November 2008 by DaveQuigley (Talk | contribs)

Jump to: navigation, search


Labeled NFS is an effort headed by Dave Quigley of the NSA to implement Mandatory Access Control within NFSv4

Since the Labeled-NFS effort is starting to mature, a centralize location is needed to store information and code for the project. This page will contain news, source code, documentation, and specification documents pertaining to the Labeled-NFS effort.

At the moment development is progressing on a prototype for the Linux 2.6 series of kernels. As the specification matures and we see other people choose to prototype implementations in other operating and MAC systems we will post that information here.

Project News

None as of yet.

Getting the code

The Labeled-NFS implementation prototype is published as a series of public git trees that can be found at The three trees that pertain to the Labeled-NFS work are:

  • users/dpquigl/lnfs.git
  • users/dpquigl/nfs-utils.git
  • users/dpquigl/libnfsdoimap.git

To clone these trees use the command below substituting any of {lnfs.git, libnfsdoimap.git, nfs-utils.git} for <tree>.

       git-clone git://<tree>

Building the code

This documentation is for building a Labeled-NFS kernel and the modified user-space NFS utilities. The development team uses Fedora as the primary development platform so the instructions below reference Fedora specific utilities and names. If you are running a distro other than Fedora substitute in the appropriate package manager calls and package names for your system.

The nfs-utils git tree requires the development version of several packages to be installed. These packages can be found in the command below.

Install development packages:

yum install tcp_wrappers-devel libevent-devel nfs-utils-lib-devel libgssglue-devel e2fsprogs-devel krb5-devel openldap-devel

Testing the code

Specification Documents

Mailing Lists

  • IETF NFSv4 Working Group Mailing List: Primary list for discussion for discussion of the NFSv4 standard. This is a moderately high volume list and currently the discussion is centered around preparing NFSv4.1 for final approval.


  • MAC resources Posting to the NFSv4 IETF mailing list with pointers to information on Mandatory Access Control (MAC).

News Articles

  • GCN coverage Government Computer News on the project as Dave Q presents at IETF 71.