[Labeled-nfs] Labeled RPC & NFS
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 14 09:59:59 EST 2008
--- James Morris <jmorris at namei.org> wrote:
> I gather the expectation is that AUTH_SECLABEL would be used in
> conjunction with IPSec or other machine-based security. I believe this
> can provide useful security if configured carefully, e.g. specify MAC
> policy on the client so that only trusted subjects have the ability to
> send traffic to the NFS port, to prevent forging of RPC messages (and thus
> MAC attributes); or even use labeled IPSec :-)
I will point out that in the Unix world MAC systems have been using
labeled NFS without (and with) additional authentication schemes for
many years. You can slow yourselves down by adding a dependency on
orthoganal issues, I suggest to retain focus on the task at hand.
Casey Schaufler
casey at schaufler-ca.com
More information about the Labeled-nfs
mailing list