[Labeled-nfs] Current development prototype patches.
Casey Schaufler
casey at schaufler-ca.com
Mon Aug 6 10:24:19 EDT 2007
--- "David P. Quigley" <dpquigl at tycho.nsa.gov> wrote:
> On Fri, 2007-08-03 at 16:33 -0400, Matthew N. Dodd wrote:
> [snip...]
>
> There is a small problem with doing file labeling in this manner. This
> method works assuming that we only use dumb servers. However one of the
> requirements is to have MAC enabled servers be part of the decision
> process. In this case we need to send the process secid over to the
> server most likely as part of the RPC.
I expect that you want the server to enforce its policy and the client
to enforce its policy and that you do not want to even consider
attempting to enforce the client's policy on the server. There's just
too much internal state (e.g. what LSM is on the client, for SELinux
the policy) on the clients to duplicate it for each client on the
server. The best that the server can do is call back to the client
and ask what decision the client would have made, and why not have the
client do that itself?
> I know this is an initial
> implementation however it is something we need to consider moving
> forward so we don't shoot ourselves in the foot later.
>
> > +/*
> > + * For now, we need a way to compute a SID for
> > + * a dentry as the inode is not yet available
> > + * (and under NFSv4 has no label backed by an EA anyway.
> > + */
> > +static int selinux_dentry_init_security(struct dentry *dentry, int
> > mode, u32 *sid)
>
>
> _______________________________________________
> Labeled-nfs mailing list
> Labeled-nfs at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs
>
>
>
Casey Schaufler
casey at schaufler-ca.com
More information about the Labeled-nfs
mailing list