[Labeled-nfs] Labeled NFS Update

[David P. Quigley]

On Thu, 2009-09-03 at 18:35 -0500, Nicolas Williams wrote:
> On Thu, Sep 03, 2009 at 04:25:11PM -0700, Jarrett Lu wrote:
> > Thanks for the update. It's been a while, and I like to back up and ask 
> > a high level question. When accessing a remote file system object (on 
> > MAC systems), two important pieces of information need to be exchanged: 
> > (1) the credential of the requester (e.g. its label, privileges, 
> > security context, capabilities, etc.). The credential will be used as 
> > part of access control. (2) label of the object being accessed (e.g. 
> > security label attributes of a file). In the proposed Labeled NFS model, 
> > is it true that (1) will be covered by RPCSECGSSv3 and (2) will be 
> > covered by the new MAC Label Attributes in NFSv4.2?
> 
> I can't speak for David, but IMO those are the two needed pieces, with
> this caveat: they are somewhat optional, and if not available then
> everything is very constrained.
> 
> I.e., a server can still enforce MAC when clients use RPCSEC_GSSv1 or
> v2.  And clients and servers can still enforce MAC when using NFSv4.0 or
> v4.1 without the new MAC label attributes.  Obviously, not having
> RPCSEC_GSSv3 or new MAC Label Attributes would enormously constrain what
> can be done.  E.g., RPCSEC_GSSv1 -> one label per-client principal.  No
> label attributes -> client can't find out nor set the attribute of a
> file, _except_ by tying labels to locations (much like TX does).
> 
> Nico

Both you and Jarrett are correct. Lately I've been hearing requests for
the RPCSEC_GSSv1,2 approach you listed above where a server based on
some criteria in this case the authenticated user assumes all requests
use the same label. Ideally it would be best for these deployments to
move over to an environment where both client and server are fully MAC
capable and are using RPCSEC_GSSv3 for process label transport and the
MAC attribute for file labeling.

Dave