[Labeled-nfs] Client process label operation (OP_PUTCLIENTLABEL)
James Morris
jmorris at namei.org
Sat Dec 15 04:34:46 EST 2007
On Wed, 5 Dec 2007, Matthew N. Dodd wrote:
> So, as an alternative to a new RPCSEC flavor, encoding the requesting process
> label in all client compound operations was suggested.
>
> Attached is a patch that demonstrates one way of doing this.
Looks like a good start. I'd suggest making this more general (perhaps
OP_SECURITYLABEL), which includes various optional security state and
which is always present in client and server messages when labeling is
active.
So, for SELinux, we'd likely want to convey, in addition to the current
security context of the principal:
- the "fscreate" attribute (client only), if applicable, which the server
may honor and use as the file creation label if permitted
- security policy serial number (client only), which the server uses to
know when to flush cached policy
- operating mode (enforcing/permissive)
- DOI
- security policy version (e.g. "21")
- security model (e.g. "selinux:ibac+rbac+te+mcs")
The latter three would not be expected to change during a session, so
would only be mandatory in the first messages between a client and server
effectively as negotiation.
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list