[Labeled-nfs] Current status
Joe Nall
joe at nall.com
Wed Jul 25 14:02:42 EDT 2007
On Jul 25, 2007, at 8:51 AM, James Morris wrote:
> ...
> These requirements were published for initial review, and the
> latest is
> located here:
>
> http://namei.org/lnfs/senfs-requirements-draft-06.txt
Looks good. I'm a little concerned about the potential complexity of
the DOI negotiation and mapping. It is not clear to me that the
complexity is warranted by real world requirements.
> - There is likely a need to provide some limited-functionality
> forms of
> labeling via NFSv4, to take into account scenarios such as:
>
> - "dumb" server, which is not itself MAC enabled, entirely trusts
> clients, and simply stores and retrieves MAC labels with the data
I'm having a hard time envisioning how you would sell this to an
accreditor/evaluator since server users and processes would not be
bound by MAC. Maybe if there are no local users (appliance?) and the
server meets CAPP.
> - Orthogonal security services, not using RPCSEC_GSS e.g. physically
> secure networks; labeled networking (CIPSO, labeled IPsec); bump
> in the
> wire security etc.
Orthogonal - but still using the same DOI?
> - Must be able to support mixed environments well, e.g. users running
> several operating systems, some not MAC-aware, accessing the same
> file server.
Definitely
> - Need to ensure manageability (e.g. Linux implementation may
> integrate
> with FreeIPA http://www.freeipa.org/page/Main_Page).
Never heard of it. Thanks for the link.
> ...
>
> Status of work:
>
> - Initial prototype code is being developed by Sparta to get SELinux
> labels transported across the wire. This has not been posted
> publicly as
> yet.
We have labeled IPSec networks and test resources if we can help.
joe
More information about the Labeled-nfs
mailing list