[nfsv4] MAC Resources

Dave Quigley <dpquigl@tycho.nsa.gov> Fri, 14 March 2008 22:29 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: ietfarch-nfsv4-archive@core3.amsl.com
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 811B23A6B01; Fri, 14 Mar 2008 15:29:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.951
X-Spam-Level:
X-Spam-Status: No, score=-100.951 tagged_above=-999 required=5 tests=[AWL=-0.514, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJH5wNAZsVGa; Fri, 14 Mar 2008 15:29:27 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DFC23A6917; Fri, 14 Mar 2008 15:29:27 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADD043A6917 for <nfsv4@core3.amsl.com>; Fri, 14 Mar 2008 15:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNTuFBRA7wPj for <nfsv4@core3.amsl.com>; Fri, 14 Mar 2008 15:29:24 -0700 (PDT)
Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by core3.amsl.com (Postfix) with ESMTP id 6F5583A68B0 for <nfsv4@ietf.org>; Fri, 14 Mar 2008 15:29:24 -0700 (PDT)
Received: from facesaver.epoch.ncsc.mil (jazzdrum.ncsc.mil [144.51.5.7]) by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id m2EMR1kU014389; Fri, 14 Mar 2008 22:27:01 GMT
Received: from [144.51.25.2] (moss-terrapins [144.51.25.2]) by facesaver.epoch.ncsc.mil (8.13.1/8.13.1) with ESMTP id m2EMQCHI029359; Fri, 14 Mar 2008 18:26:12 -0400
From: Dave Quigley <dpquigl@tycho.nsa.gov>
To: nfsv4 <nfsv4@ietf.org>, sds@tycho.nsa.gov, jmorris@namei.org
Date: Fri, 14 Mar 2008 18:22:54 -0400
Message-Id: <1205533374.9545.48.camel@moss-terrapins.epoch.ncsc.mil>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-3.fc8)
Subject: [nfsv4] MAC Resources
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

Hello,
	Someone suggested at the WG meeting that I provide some resources on
Mandatory Access Control(MAC) and why it is important. I have selected
some resources that we have on MAC which are public as a place to start.
The first of the papers is titled "The Inevitability of Failure."[1]
This is the motivational paper for the work that has been going on for
the past decade. It explains MAC and why DAC is insufficient to provide
the security needed in modern OS environments. The second paper outlines
the Flask architecture. This provides the rational for using flexible
MAC instead of the traditional rigid MAC implementations used in past
trusted operating systems. The remaining links [3,4,5] are presentations
given at various conferences about SELinux. We are trying to put generic
flexible MAC support into NFS but it helps to have a sample
implementation to help understand better what is it we are trying to do.
If you have any questions you want answered please feel free to ask. I
have added James Morris and Stephen Smalley to the list so they can help
answer any questions you might have as well.

Dave

[1] The Inevitability of Failure: The Flawed Assumption of Security in
Modern Computing Environments
http://www.nsa.gov/selinux/papers/inevit-abs.cfm

[2] The Flask Security Architecture: System Support for Diverse Security
Policies
http://www.nsa.gov/selinux/papers/flask-abs.cfm

[3] 2001 Linux 2.5 Kernel Summit Presentation on SELinux
http://www.nsa.gov/selinux/papers/sel.summit-abs.cfm

[4] Integrating Flexible Support for Security Policies into the Linux
Operating System was published in the Proceedings of the FREENIX Track
of the 2001 USENIX Annual Technical Conference.
http://www.nsa.gov/selinux/papers/freenix01-abs.cfm

[5] Meeting Critical Security Objectives with Security-Enhanced Linux
was published in the Proceedings of the 2001 Ottawa Linux Symposium.
http://www.nsa.gov/selinux/papers/ottawa01-abs.cfm


_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4