[Labeled-nfs] Current status
Karl MacMillan
kmacmill at redhat.com
Thu Jul 26 14:47:52 EDT 2007
Joshua Brindle wrote:
> James Morris wrote:
>
>> On Wed, 25 Jul 2007, Joe Nall wrote:
>>
>>
>>
>>> Looks good. I'm a little concerned about the potential complexity of the DOI
>>> negotiation and mapping. It is not clear to me that the complexity is
>>> warranted by real world requirements.
>>>
>>>
>> What we intend to do is to at least identify where DOI needs to be
>> considered, to ensure that it is part of the underlying design and not
>> something which has to be added later as an afterthought.
>>
>>
>>
>
> One thing I think needs to be part of the plan from the beginning is
> doing context translation regardless of the DOI being the same or not,
> it isn't reasonable to assume every machine within a single
> adminstrative domain will be running the exact same policy (even if its
> the same policy "type"). For example, just because my MySQL server has
> mysql types for databases doesn't mean my backup server will, it needs
> to be able to translate the file types to something that makes sense to
> the backup server to back them up. This is the same idea we had behind
> doing translation in racoon (which patches still haven't been upstreamed
> unfortunately).
>
> IMO a sufficiently complex administrative domain would have a common
> intermediary representation of contexts that can be translated by any
> machine accessing the files without having the exact same policies
> domain-wide.
>
>
I don't think I agree that context translation within a DOI should
automatically be a requirement - it is just one way to solve the
problem. It seems much simpler to me for a DOI to be a single namespace
and force people to use additional DOIs to represent the scenario you
describe above.
Karl
> _______________________________________________
> Labeled-nfs mailing list
> Labeled-nfs at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs
>
More information about the Labeled-nfs
mailing list