From: Paul Moore <paul.moore@hp.com>
To: Dave Quigley <dpquigl@tycho.nsa.gov>
Cc: Labeled NFS <labeled-nfs@linux-nfs.org>,
SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Interface for DOI mapping
Date: Mon, 3 Dec 2007 16:16:02 -0500 [thread overview]
Message-ID: <200712031616.03019.paul.moore@hp.com> (raw)
In-Reply-To: <1196713965.31856.19.camel@moss-terrapins.epoch.ncsc.mil>
On Monday 03 December 2007 3:32:45 pm Dave Quigley wrote:
> With help from Neil I have the actual daemon code working for DOI
> translations. Now I have to come up with an interface for allowing an
> LSM to specify its translations. Either in the form of a separate
> library or in the daemon code itself I intend to dlopen a shared library
> and make calls into it. The question is what functionality do we want
> here and where should it be placed.
>
> In the long run it would be nice to have a server which maintains the
> mappings for all of the clients in its domain similar to kerberos.
> However the client also needs to be able to operate without such a
> server.
>
> If you have suggestions for this feel free to make them now while I am
> still designing this.
The first question that immediately springs to mind is "which DOI?" I know
you are currently focused on labeled NFS and how to translate file labels
between different MAC implementations but I think it is worthwhile to broaden
the scope of the DOI translation effort. I know that both CIPSO and labeled
IPsec have DOI attributes and a proper DOI translation mechanism could have
benefits here too. There are probably others (labeled X? labeled databases?)
but I'm not knowledgeable enough in those areas to say for certain.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-12-03 21:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-03 20:32 Interface for DOI mapping Dave Quigley
2007-12-03 21:16 ` Paul Moore [this message]
2007-12-04 17:10 ` Casey Schaufler
2007-12-04 18:49 ` Paul Moore
2007-12-04 19:12 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200712031616.03019.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=labeled-nfs@linux-nfs.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.