@@ -18,7 +18,8 @@
#define NFSEXP_ASYNC 0x0010
#define NFSEXP_GATHERED_WRITES 0x0020
#define NFSEXP_NOREADDIRPLUS 0x0040
-/* 80, 100 unused */
+#define NFSEXP_SECURITY_LABEL 0x0080
+/* 0x100 unused */
#define NFSEXP_NOHIDE 0x0200
#define NFSEXP_NOSUBTREECHECK 0x0400
#define NFSEXP_NOAUTHNLM 0x0800
@@ -274,6 +274,8 @@ putexportent(struct exportent *ep)
"no_" : "");
if (ep->e_flags & NFSEXP_NOREADDIRPLUS)
fprintf(fp, "nordirplus,");
+ if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+ fprintf(fp, "security_label,");
fprintf(fp, "%spnfs,", (ep->e_flags & NFSEXP_PNFS)? "" : "no_");
if (ep->e_flags & NFSEXP_FSID) {
fprintf(fp, "fsid=%d,", ep->e_fsid);
@@ -543,6 +545,8 @@ parseopts(char *cp, struct exportent *ep, int warn, int *had_subtree_opt_ptr)
setflags(NFSEXP_ASYNC, active, ep);
else if (!strcmp(opt, "nordirplus"))
setflags(NFSEXP_NOREADDIRPLUS, active, ep);
+ else if (!strcmp(opt, "security_label"))
+ setflags(NFSEXP_SECURITY_LABEL, active, ep);
else if (!strcmp(opt, "nohide"))
setflags(NFSEXP_NOHIDE, active, ep);
else if (!strcmp(opt, "hide"))
@@ -705,6 +705,8 @@ dump(int verbose, int export_format)
c = dumpopt(c, "insecure_locks");
if (ep->e_flags & NFSEXP_NOREADDIRPLUS)
c = dumpopt(c, "nordirplus");
+ if (ep->e_flags & NFSEXP_SECURITY_LABEL)
+ c = dumpopt(c, "security_label");
if (ep->e_flags & NFSEXP_NOACL)
c = dumpopt(c, "no_acl");
if (ep->e_flags & NFSEXP_PNFS)
@@ -417,6 +417,14 @@ devices. The default can be explicitly requested with the
.I no_pnfs
option.
+.TP
+.IR security_label
+With this option set, clients using NFSv4.2 or higher will be able to
+set and retrieve security labels (such as those used by SELinux). This
+will only work if all clients use a consistent security policy. Note
+that early kernels did not support this export option, and instead
+enabled security labels by default.
+
.SS User ID Mapping
.PP
.B nfsd