[Labeled-nfs] Current status
Karl MacMillan
kmacmill at redhat.com
Wed Jul 25 14:51:57 EDT 2007
On Wed, 2007-07-25 at 13:02 -0500, Joe Nall wrote:
> On Jul 25, 2007, at 8:51 AM, James Morris wrote:
>
> > ...
> > These requirements were published for initial review, and the
> > latest is
> > located here:
> >
> > http://namei.org/lnfs/senfs-requirements-draft-06.txt
>
> Looks good. I'm a little concerned about the potential complexity of
> the DOI negotiation and mapping. It is not clear to me that the
> complexity is warranted by real world requirements.
>
> > - There is likely a need to provide some limited-functionality
> > forms of
> > labeling via NFSv4, to take into account scenarios such as:
> >
> > - "dumb" server, which is not itself MAC enabled, entirely trusts
> > clients, and simply stores and retrieves MAC labels with the data
>
> I'm having a hard time envisioning how you would sell this to an
> accreditor/evaluator since server users and processes would not be
> bound by MAC. Maybe if there are no local users (appliance?) and the
> server meets CAPP.
>
It may not pass accredidation - I pushed for this mainly for corporate
environments and particularly for appliances.
Karl
More information about the Labeled-nfs
mailing list