[Labeled-nfs] Labeled RPC & NFS
James Morris
jmorris at namei.org
Mon Jan 14 17:12:24 EST 2008
On Mon, 14 Jan 2008, Matthew N. Dodd wrote:
> James Morris wrote:
> > It pretty much needs to "just work". Enabling MAC on NFS should not mean
> > having to change authentication schemes, especially to something potentially
> > less secure.
>
> We're somewhat limited by our inability to inject random context data into the
> GSS_RPC stream.
>
> As I've mentioned before, even if you solve this the current code caches
> credential data by UID, which makes it difficult to support processes of
> differing labels running under the same UID.
>
> Now, we could bump RPC_GSS_VERSION, add a flags field and TLVs to hold the
> label, but that involves a whole lot of buy-in.
>
> Solving this up at the NFS layer has its own problems.
Well, that was the hope. What are the problems ?
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list