[Labeled-nfs] Labeled RPC & NFS
Matthew N. Dodd
Matthew.Dodd at sparta.com
Mon Jan 14 16:05:04 EST 2008
James Morris wrote:
> It pretty much needs to "just work". Enabling MAC on NFS should not mean
> having to change authentication schemes, especially to something
> potentially less secure.
We're somewhat limited by our inability to inject random context data
into the GSS_RPC stream.
As I've mentioned before, even if you solve this the current code caches
credential data by UID, which makes it difficult to support processes of
differing labels running under the same UID.
Now, we could bump RPC_GSS_VERSION, add a flags field and TLVs to hold
the label, but that involves a whole lot of buy-in.
Solving this up at the NFS layer has its own problems.
More information about the Labeled-nfs
mailing list