[Labeled-nfs] Current status
Joshua Brindle
method at manicmethod.com
Thu Jul 26 13:52:22 EDT 2007
James Morris wrote:
> On Wed, 25 Jul 2007, Joe Nall wrote:
>
>
>> Looks good. I'm a little concerned about the potential complexity of the DOI
>> negotiation and mapping. It is not clear to me that the complexity is
>> warranted by real world requirements.
>>
>
> What we intend to do is to at least identify where DOI needs to be
> considered, to ensure that it is part of the underlying design and not
> something which has to be added later as an afterthought.
>
>
One thing I think needs to be part of the plan from the beginning is
doing context translation regardless of the DOI being the same or not,
it isn't reasonable to assume every machine within a single
adminstrative domain will be running the exact same policy (even if its
the same policy "type"). For example, just because my MySQL server has
mysql types for databases doesn't mean my backup server will, it needs
to be able to translate the file types to something that makes sense to
the backup server to back them up. This is the same idea we had behind
doing translation in racoon (which patches still haven't been upstreamed
unfortunately).
IMO a sufficiently complex administrative domain would have a common
intermediary representation of contexts that can be translated by any
machine accessing the files without having the exact same policies
domain-wide.
More information about the Labeled-nfs
mailing list