From: Paul Moore <paul.moore@hp.com>
To: Jarrett Lu <Jarrett.Lu@sun.com>
Cc: labeled-nfs@linux-nfs.org, nfs-discuss@opensolaris.org,
selinux@tycho.nsa.gov, nfsv4@ietf.org
Subject: Re: [nfsv4] [Labeled-nfs] New MAC label support Internet Draft posted to IETF website
Date: Tue, 7 Apr 2009 17:30:53 -0400 [thread overview]
Message-ID: <200904071730.54112.paul.moore@hp.com> (raw)
In-Reply-To: <49D56484.50401@sun.com>
On Thursday 02 April 2009 09:21:08 pm Jarrett Lu wrote:
> On 04/01/09 09:46, Paul Moore wrote:
> > On Wednesday 01 April 2009 03:46:58 am Jarrett Lu wrote:
> >> ... and probably outside the scope of labeled NFSv4 enhancement.
> >
> > Perhaps. Keep in mind I'm trying to think a bit more generically; if
> > that isn't the goal I'll be happy to go back to my corner and sit quietly
> > :)
> >
> >> So realistically, I think the DOI + opaque label is useful between very
> >> compatible systems.
> >
> > Of course. I agree there are a lot of things you can do with a DOI +
> > opaque label, especially if you are only concerned about end-to-end
> > security issues which I believe is the case for labeled NFS.
> >
> >> Given that limitation, may be the "package" is small enough and can be
> >> passed in RPC layer during authentication so that MLS can share files
> >> with like MLS systems, and same is true for DTE, fmac, smack, ....
> >
> > Well, I think all that the opaque label buys you is the ability to limit
> > who you share the security policy/translation "package" with, as those
> > systems that participate in the labeled communication (be it NFS, generic
> > IP or some other random service) still need to worry about label
> > translation and security policy differences if they want to enforce
> > policy locally.
>
> I am still trying to understand what is needed to make safe sharing
> possible. BTW, are you implying that it's always necessary to do one
> label translation, e.g. from on-the-wire format to a native label format?
[Sorry for the delayed response.]
As I said earlier I think the easiest way forward is to design systems that
can interoperate with established DOI definitions and not worry about what
other peer systems are using for a security mechanism. In some cases that
will require translations from a native label format to a wire format and back
to a label format; in some cases it may result in no translations at all. It
all depends on the individual systems and the DOI.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-04-07 21:54 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-22 19:16 New MAC label support Internet Draft posted to IETF website David P. Quigley
[not found] ` <54E18340-3542-4AB4-843E-E92A67B709A7@storspeed.com>
2009-01-23 17:47 ` [nfsv4] " Peter Staubach
2009-01-23 21:59 ` Glenn Faden
2009-01-23 19:07 ` [Labeled-nfs] " Kevin L. Smith
[not found] ` <33B70CB9-5260-419A-98CF-94847F829570@nokia.com>
2009-01-28 1:17 ` Jarrett Lu
2009-02-09 22:24 ` Peter Staubach
2009-02-11 23:47 ` David P. Quigley
2009-02-12 1:07 ` [Labeled-nfs] " James Morris
2009-02-12 15:36 ` [nfsv4] " Nicolas Williams
2009-02-12 20:00 ` David P. Quigley
2009-02-12 20:11 ` Nicolas Williams
2009-02-17 16:50 ` David P. Quigley
2009-02-17 17:00 ` Nicolas Williams
2009-02-12 19:45 ` David P. Quigley
2009-02-12 15:22 ` [nfsv4] " Nicolas Williams
2009-03-12 16:08 ` David P. Quigley
2009-03-12 17:20 ` Peter Staubach
2009-03-25 8:52 ` Jarrett Lu
2009-03-25 16:33 ` [nfsv4] " Nicolas Williams
2009-03-26 9:25 ` Jarrett Lu
2009-03-26 15:09 ` Nicolas Williams
2009-03-26 22:03 ` Jarrett Lu
2009-03-27 0:11 ` Nicolas Williams
2009-03-27 12:55 ` [Labeled-nfs] " Stephen Smalley
2009-03-27 13:22 ` Stephen Smalley
2009-03-27 17:03 ` Jarrett Lu
2009-03-27 17:26 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-03-27 18:56 ` Jarrett Lu
2009-03-27 22:04 ` Nicolas Williams
2009-03-30 17:37 ` Stephen Smalley
2009-03-30 18:30 ` Jarrett Lu
2009-03-30 20:01 ` Nicolas Williams
2009-03-30 20:03 ` Nicolas Williams
2009-03-30 21:14 ` Stephen Smalley
2009-03-31 5:59 ` Jarrett Lu
2009-03-31 18:28 ` Nicolas Williams
2009-04-01 3:33 ` Jarrett Lu
2009-04-01 6:58 ` [Labeled-nfs] [nfsv4] " James Morris
2009-04-01 8:09 ` Jarrett Lu
2009-04-01 9:49 ` James Morris
2009-04-01 17:50 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-04-02 23:43 ` Jarrett Lu
2009-03-31 3:07 ` Casey Schaufler
2009-03-31 14:47 ` Paul Moore
2009-04-01 7:46 ` Jarrett Lu
2009-04-01 16:46 ` Paul Moore
2009-04-02 15:24 ` Nicolas Williams
2009-04-02 22:35 ` Paul Moore
2009-04-03 4:42 ` Nicolas Williams
2009-04-03 18:08 ` Joy Latten
2009-04-03 1:21 ` Jarrett Lu
2009-04-07 21:30 ` Paul Moore [this message]
2009-03-31 18:34 ` Nicolas Williams
2009-04-01 3:42 ` Casey Schaufler
2009-03-28 3:33 ` [Labeled-nfs] [nfsv4] " Casey Schaufler
2009-03-28 5:16 ` Glenn Faden
2009-03-28 5:52 ` Casey Schaufler
2009-03-27 22:09 ` Nicolas Williams
2009-03-30 16:51 ` Stephen Smalley
2009-03-30 20:05 ` Nicolas Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904071730.54112.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=Jarrett.Lu@sun.com \
--cc=labeled-nfs@linux-nfs.org \
--cc=nfs-discuss@opensolaris.org \
--cc=nfsv4@ietf.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.