From: Jarrett Lu <Jarrett.Lu@sun.com>
To: James Morris <jmorris@namei.org>
Cc: Nicolas Williams <Nicolas.Williams@sun.com>,
labeled-nfs@linux-nfs.org, nfs-discuss@opensolaris.org,
selinux@tycho.nsa.gov, nfsv4@ietf.org
Subject: Re: [Labeled-nfs] [nfsv4] New MAC label support Internet Draft posted to IETF website
Date: Wed, 01 Apr 2009 01:09:16 -0700 [thread overview]
Message-ID: <49D3212C.9070002@sun.com> (raw)
In-Reply-To: <alpine.LRH.2.00.0904011751320.21948@tundra.namei.org>
[-- Attachment #1: Type: text/plain, Size: 1670 bytes --]
On 3/31/2009 11:58 PM, James Morris wrote:
> On Tue, 31 Mar 2009, Jarrett Lu wrote:
>
>
>> I'm in general agreement with you on this. I am not sure to what extent
>> the extensibility stuff makes sense, e.g. how much may be enough? I
>> guess we need to study more use scenarios. I suspect TE systems may have
>> more challenges in this area, just because security policies on TE
>> systems tend to be more flexible. For example, how many things are
>> critical in order to translate label correctly, OS version, vendor,
>> label parser, security policy file? How likely DTE systems are
>> configured with exact same policy files? Does it make sense that a
>> (harmless) update to security policy file causes label translation
>> failures from that point on?
>>
>
> With SELinux systems, policies do not need to be identical to be
> considered part of the same DOI. Generally, labels need to remain
> semantically equivalent (i.e. mean the same thing on each system), and the
> policies need to be managed within the same administrative boundary.
> Systems may restrict which labels they'll interpret from remote systems
> (similar to root_squash).
>
>
Understood. My point is that a signature on a policy file may not always
be the right tool to determine whether label translation should be done.
When policies are different on two systems, how does one system know
labels or types are semantically equivalent or not? Are you also saying
that DOI is tied to administrative boundary, and the fact that systems
using the same DOI implies the label and type definitions in each policy
are always semantically equivalent?
Jarrett
> - James
>
[-- Attachment #2: Type: text/html, Size: 2209 bytes --]
next prev parent reply other threads:[~2009-04-01 8:09 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-22 19:16 New MAC label support Internet Draft posted to IETF website David P. Quigley
[not found] ` <54E18340-3542-4AB4-843E-E92A67B709A7@storspeed.com>
2009-01-23 17:47 ` [nfsv4] " Peter Staubach
2009-01-23 21:59 ` Glenn Faden
2009-01-23 19:07 ` [Labeled-nfs] " Kevin L. Smith
[not found] ` <33B70CB9-5260-419A-98CF-94847F829570@nokia.com>
2009-01-28 1:17 ` Jarrett Lu
2009-02-09 22:24 ` Peter Staubach
2009-02-11 23:47 ` David P. Quigley
2009-02-12 1:07 ` [Labeled-nfs] " James Morris
2009-02-12 15:36 ` [nfsv4] " Nicolas Williams
2009-02-12 20:00 ` David P. Quigley
2009-02-12 20:11 ` Nicolas Williams
2009-02-17 16:50 ` David P. Quigley
2009-02-17 17:00 ` Nicolas Williams
2009-02-12 19:45 ` David P. Quigley
2009-02-12 15:22 ` [nfsv4] " Nicolas Williams
2009-03-12 16:08 ` David P. Quigley
2009-03-12 17:20 ` Peter Staubach
2009-03-25 8:52 ` Jarrett Lu
2009-03-25 16:33 ` [nfsv4] " Nicolas Williams
2009-03-26 9:25 ` Jarrett Lu
2009-03-26 15:09 ` Nicolas Williams
2009-03-26 22:03 ` Jarrett Lu
2009-03-27 0:11 ` Nicolas Williams
2009-03-27 12:55 ` [Labeled-nfs] " Stephen Smalley
2009-03-27 13:22 ` Stephen Smalley
2009-03-27 17:03 ` Jarrett Lu
2009-03-27 17:26 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-03-27 18:56 ` Jarrett Lu
2009-03-27 22:04 ` Nicolas Williams
2009-03-30 17:37 ` Stephen Smalley
2009-03-30 18:30 ` Jarrett Lu
2009-03-30 20:01 ` Nicolas Williams
2009-03-30 20:03 ` Nicolas Williams
2009-03-30 21:14 ` Stephen Smalley
2009-03-31 5:59 ` Jarrett Lu
2009-03-31 18:28 ` Nicolas Williams
2009-04-01 3:33 ` Jarrett Lu
2009-04-01 6:58 ` [Labeled-nfs] [nfsv4] " James Morris
2009-04-01 8:09 ` Jarrett Lu [this message]
2009-04-01 9:49 ` James Morris
2009-04-01 17:50 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-04-02 23:43 ` Jarrett Lu
2009-03-31 3:07 ` Casey Schaufler
2009-03-31 14:47 ` Paul Moore
2009-04-01 7:46 ` Jarrett Lu
2009-04-01 16:46 ` Paul Moore
2009-04-02 15:24 ` Nicolas Williams
2009-04-02 22:35 ` Paul Moore
2009-04-03 4:42 ` Nicolas Williams
2009-04-03 18:08 ` Joy Latten
2009-04-03 1:21 ` Jarrett Lu
2009-04-07 21:30 ` Paul Moore
2009-03-31 18:34 ` Nicolas Williams
2009-04-01 3:42 ` Casey Schaufler
2009-03-28 3:33 ` [Labeled-nfs] [nfsv4] " Casey Schaufler
2009-03-28 5:16 ` Glenn Faden
2009-03-28 5:52 ` Casey Schaufler
2009-03-27 22:09 ` Nicolas Williams
2009-03-30 16:51 ` Stephen Smalley
2009-03-30 20:05 ` Nicolas Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49D3212C.9070002@sun.com \
--to=jarrett.lu@sun.com \
--cc=Nicolas.Williams@sun.com \
--cc=jmorris@namei.org \
--cc=labeled-nfs@linux-nfs.org \
--cc=nfs-discuss@opensolaris.org \
--cc=nfsv4@ietf.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.