[Labeled-nfs] Client and Server policies and file creation.

Paul Moore paul.moore at hp.com
Tue Aug 7 09:11:22 EDT 2007 

On Monday, August 6 2007 6:47:55 pm Casey Schaufler wrote:
> --- "Matthew N. Dodd" <Matthew.Dodd at sparta.com> wrote:
> > [In reply to a new discussion in a differently titled thread.]
> >
> > When a file is created by a client, the client passes the desired
> > attributes to the server in the request.  Later, the client requests the
> > attributes the server created the file with.
> >
> > It seems to me that this is exactly the way we want things to function
> > when we enforce policy on the client and the server.
>
> An important question is whether the client is going to get back
> the same attributes it sent in all cases. This requires either that
> the server stores what the client sent or that the mapping between
> what the client sends and what the server stores is reverseable.

If there is any hope of label translation actually working I think the 
mappings between different DOIs must be reverseable.

> Let's consider an easy case. The server supports a binary MAC policy,
> with two labels, USER and SYSTEM, stored in a single bit. The client
> has a Bell&LaPadula label that supports 256 levels and 64k categories.
> If you store the Server Native label you can't go back to the client
> label, you can't even come close. Any client access check based on a
> translation from the server label will be wrong.

Step back a level and stop thinking about the different parts/fields which 
make up an object's label and think about the label as a single, opaque blob.  
In your example above we can think of the server side as having label X and 
the client as having label Y.  Label X is the combination of the USER and 
SYSTEM sub-labels/fields on the server and label Y is the combination of the 
traditional MLS sensitivity level and category bitmap.

Once you abstract out the labels like this I believe it should be fairly 
straightforward to establish one-to-one mappings between labels in different 
security domains.  I'll admit it might not always be an elegant mapping 
depending on the different domains, but it should be possible.  It will also 
require careful creating of the label mappings, but then again this is a 
cross-domain issue and from what I can tell this burden is nothing new.

> If the file system saves both the client label and the server label,
> and uses each in its appropriate context, you are better off - and
> here's the gotcha - so long as you only have one client. If you have
> a second client with a different MAC scheme you can't give it the
> server's label to use because you know it is wrong and you can't give
> it the other client's label because that will be wrong, too.

Not the only reason why this solution won't work for a general solution, but 
an easy one to understand.

-- 
paul moore
linux security @ hp

More information about the Labeled-nfs mailing list