Re: [Labeled-nfs] [nfsv4] New MAC label support Internet Draft posted to IETF website

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Glenn Faden <Glenn.Faden@sun.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Jarrett Lu <Jarrett.Lu@sun.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	labeled-nfs@linux-nfs.org, nfs-discuss@opensolaris.org,
	selinux@tycho.nsa.gov, nfsv4@ietf.org
Subject: Re: [Labeled-nfs] [nfsv4] New MAC label support Internet Draft posted to IETF	website
Date: Fri, 27 Mar 2009 22:16:38 -0700	[thread overview]
Message-ID: <49CDB2B6.7090509@sun.com> (raw)
In-Reply-To: <49CD9A7D.6070207@schaufler-ca.com>

Casey Schaufler wrote:
> Jarrett Lu wrote: 
>     
>   
>> I agree with your statements on TE vs. MLS/BLP. The problem we try to 
>> solve is whether a DOI field + an opaque string is sufficient to solve 
>> the interoperability problem.
>>     
>
> It is not. Two SELinux systems of the same version of the same
> operating system may have different and incompatible policies.
> Domains with the exact same name, intended for the exact same
> purpose, may include MLS on one and MCS on the other, have
> identical on wire representation of the labels, and still not
> inter operate in any sane way. The same is true for Smack, where
> the label Fish can be treated very differently on two adjacent
> boxes. Any system that relies on opaque data is going to
> have this problem, which is why the 1980's attempt at CIPSO
> went down in flames.
>   
Casey I agree with you up to the last sentence. CIPSO was invented in 
the early 90's and is still in use today by multiple vendors. CALIPSO is 
essentially an IPv6 version of CIPSO.

I think your point is that neither CIPSO nor CALIPSO can be used to 
represent SELinux security contexts. If so, that should be obvious.

Your assertion that it is required for the client and server  to have 
the same policies and OS versions is generally true, although each 
system would be expected to refuse to deal with any types that is 
doesn't understand. The opportunity for misunderstanding seems likely. I 
have an additional concern how different systems, like SELinux and 
Solaris with FMAC will handle each other's security contexts. Even if 
their policies use the same types, roles, MLS labels, etc, the 
implementation details, like privileges vs. capabilities, will probably 
differ.
>   
>>  My opinion is that it's insufficient as it 
>> doesn't take the "how to interpret MAC attribute agreement among all 
>> communicating peers" into account. The current proposal seems to assume 
>> when a node sees a DOI value of 5, it knows how to interpret the opaque 
>> field. This may not be true. In MLS, one also needs to know which agreed 
>> upon label encoding file to use in order to interpret label in the 
>> opaque filed. I believe the same is true for TE -- one needs to know the 
>> security policy being used in order to correctly interpret security 
>> context string in the opaque field. DOI + opaque field doesn't say which 
>> label encoding scheme or which security policy.
>>   
>>     
>
> Common label encoding isn't sufficient either. Consider two
> computers, one encoded for DoD labels and the other for DoE
> labels. Both use SECRET, and any attempt to translate between
> the two will undoubtedly match them up even though they are
> very different. The Mitre encoding scheme doesn't solve the
> problem either, which is evident by the fact we're still
> discussing the issue today.
>
> What will work is the real question. The only notion I've seen
> that really addresses the issue has been rejected many times
> for the simple reason that it's too hard to administer. It
> requires that each system have a map of all labels that it
> expects to see from a given peer and their corresponding local
> representations. Whoever figures out a reasonable way to go
> about doing this gets a beer from me.
>
>   
In ancient times (the 1990s), trusted systems used to try to 
interoperate using the TSIX protocol. For those who want the history 
lesson here are the SGI and Sun docs:

http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=0650&db=man&fname=/usr/share/catman/a_man/cat7/trusted_networking.z

http://docs.sun.com/app/docs/doc/816-1048/6m7gaddhs?a=view

Sun dropped support for TSIX after all the other vendors withdrew from 
the market. The TSIX implementation was a mess, but it attempted to map 
one vendor's security attributes, e.g. privileges, into its own notion, 
e.g. capabilities. Labels were sent as strings and translated into local 
formats, as well. We sort of got it to work with Digital's MLS system, 
but everybody eventually fell back to CIPSO.

--Glenn


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2009-03-28  5:16 UTC|newest]

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-22 19:16 New MAC label support Internet Draft posted to IETF website David P. Quigley
     [not found] ` <54E18340-3542-4AB4-843E-E92A67B709A7@storspeed.com>
2009-01-23 17:47   ` [nfsv4] " Peter Staubach
2009-01-23 21:59     ` Glenn Faden
2009-01-23 19:07   ` [Labeled-nfs] " Kevin L. Smith
     [not found]   ` <33B70CB9-5260-419A-98CF-94847F829570@nokia.com>
2009-01-28  1:17     ` Jarrett Lu
2009-02-09 22:24 ` Peter Staubach
2009-02-11 23:47   ` David P. Quigley
2009-02-12  1:07     ` [Labeled-nfs] " James Morris
2009-02-12 15:36       ` [nfsv4] " Nicolas Williams
2009-02-12 20:00         ` David P. Quigley
2009-02-12 20:11           ` Nicolas Williams
2009-02-17 16:50             ` David P. Quigley
2009-02-17 17:00               ` Nicolas Williams
2009-02-12 19:45       ` David P. Quigley
2009-02-12 15:22   ` [nfsv4] " Nicolas Williams
2009-03-12 16:08   ` David P. Quigley
2009-03-12 17:20     ` Peter Staubach
2009-03-25  8:52 ` Jarrett Lu
2009-03-25 16:33   ` [nfsv4] " Nicolas Williams
2009-03-26  9:25     ` Jarrett Lu
2009-03-26 15:09       ` Nicolas Williams
2009-03-26 22:03         ` Jarrett Lu
2009-03-27  0:11           ` Nicolas Williams
2009-03-27 12:55             ` [Labeled-nfs] " Stephen Smalley
2009-03-27 13:22               ` Stephen Smalley
2009-03-27 17:03                 ` Jarrett Lu
2009-03-27 17:26                   ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-03-27 18:56                     ` Jarrett Lu
2009-03-27 22:04                       ` Nicolas Williams
2009-03-30 17:37                       ` Stephen Smalley
2009-03-30 18:30                         ` Jarrett Lu
2009-03-30 20:01                           ` Nicolas Williams
2009-03-30 20:03                             ` Nicolas Williams
2009-03-30 21:14                           ` Stephen Smalley
2009-03-31  5:59                             ` Jarrett Lu
2009-03-31 18:28                               ` Nicolas Williams
2009-04-01  3:33                                 ` Jarrett Lu
2009-04-01  6:58                                   ` [Labeled-nfs] [nfsv4] " James Morris
2009-04-01  8:09                                     ` Jarrett Lu
2009-04-01  9:49                                       ` James Morris
2009-04-01 17:50                                   ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-04-02 23:43                                     ` Jarrett Lu
2009-03-31  3:07                           ` Casey Schaufler
2009-03-31 14:47                             ` Paul Moore
2009-04-01  7:46                               ` Jarrett Lu
2009-04-01 16:46                                 ` Paul Moore
2009-04-02 15:24                                   ` Nicolas Williams
2009-04-02 22:35                                     ` Paul Moore
2009-04-03  4:42                                       ` Nicolas Williams
2009-04-03 18:08                                       ` Joy Latten
2009-04-03  1:21                                   ` Jarrett Lu
2009-04-07 21:30                                     ` Paul Moore
2009-03-31 18:34                             ` Nicolas Williams
2009-04-01  3:42                               ` Casey Schaufler
2009-03-28  3:33                   ` [Labeled-nfs] [nfsv4] " Casey Schaufler
2009-03-28  5:16                     ` Glenn Faden [this message]
2009-03-28  5:52                       ` Casey Schaufler
2009-03-27 22:09                 ` Nicolas Williams
2009-03-30 16:51                   ` Stephen Smalley
2009-03-30 20:05                     ` Nicolas Williams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49CDB2B6.7090509@sun.com \
    --to=glenn.faden@sun.com \
    --cc=Jarrett.Lu@sun.com \
    --cc=casey@schaufler-ca.com \
    --cc=labeled-nfs@linux-nfs.org \
    --cc=nfs-discuss@opensolaris.org \
    --cc=nfsv4@ietf.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.