Re: [nfsv4] my thoughts on how Labeled NFSv4 draft should move forward

[Casey Schaufler <casey@schaufler-ca.com>]

Stephen Smalley wrote:
>> ...
>>
>>  - For DTE I've no idea what to do.  Policy agreement seems like a
>>    flight of fancy for DTE.  But *much* more importantly, because the
>>    process label transitions can span so many labels we simply cannot
>>    have too smart a server: the server can't meaningfully constrain the
>>    labels that a user@client can assert, therefore the server must trust
>>    all client assertions of process DTE labels or none at all.
>>
>>    I.e., for DTE we can only have "dumb" servers.
>>     
>
> Why?  While it is certainly true that a given client may be authorized
> to assert numerous discrete domains, that does not mean that a server
> cannot limit a client to a specific set of domains.  That can be modeled
> via a permission check on a label pair and security class, just like
> everything else.
>   

I think that the point is that for that to be interesting you need
to have a significant number of subject-label/object-label/class
triples from the client available on the server. Additionally, it
assumes that the object label available to the server is in fact
the label from that client, not the server, and not a different
client. Unless you can map the object label on the file, wherever
it originated, to a label that is appropriate to the client's
policy. And heaven forbid that the client that "owns" the label
on the file should change it's policy and reboot. Now what you have
is at best no mapping, and at worst a mapping that reflects the
old, no longer considered "secure" policy.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.