[Labeled-nfs] Labeled RPC & NFS
James Morris
jmorris at namei.org
Mon Jan 14 15:55:51 EST 2008
On Mon, 14 Jan 2008, Casey Schaufler wrote:
>
> --- James Morris <jmorris at namei.org> wrote:
>
> > I gather the expectation is that AUTH_SECLABEL would be used in
> > conjunction with IPSec or other machine-based security. I believe this
> > can provide useful security if configured carefully, e.g. specify MAC
> > policy on the client so that only trusted subjects have the ability to
> > send traffic to the NFS port, to prevent forging of RPC messages (and thus
> > MAC attributes); or even use labeled IPSec :-)
>
> I will point out that in the Unix world MAC systems have been using
> labeled NFS without (and with) additional authentication schemes for
> many years. You can slow yourselves down by adding a dependency on
> orthoganal issues, I suggest to retain focus on the task at hand.
That's not going to work for general purpose MAC, where people don't have
physically secure networks, in-line encryptors, extensive security
training, static, well-documented system configurations or the resources
to administer such systems.
It pretty much needs to "just work". Enabling MAC on NFS should not mean
having to change authentication schemes, especially to something
potentially less secure.
- James
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list