[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] [nfsv4] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)

From: James Morris <jmorris at namei.org>
To: Nicolas Williams <Nicolas.Williams at sun.com>
Cc: labeled-nfs at linux-nfs.org, Kurt Zeilenga <Kurt.Zeilenga at Isode.com>, nfsv4 at ietf.org, saag at ietf.org, nfs-discuss at opensolaris.org, Casey Schaufler <casey at schaufler-ca.com>, Santosh Chokhani <SChokhani at cygnacom.com>
Date: Wed, 8 Apr 2009 20:45:06 +1000 (EST)
In-reply-to: <20090408051745.GG1500 at Sun.COM>
References: <20090403164522.DEA9A9A4739 at odin.smetech.net> <9C2457A4-328A-4A68-A9D2-6E4B5544078D at Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE0 at scygexch1.cygnacom.com> <B8FB99E8-17AA-4D4B-A309-8AF79838A304 at Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE9 at scygexch1.cygnacom.com> <20090406151606.GQ1500 at Sun.COM> <20090406180424.BA7AC9A4749 at odin.smetech.net> <49DAC29D.6030902 at schaufler-ca.com> <20090407164420.GW1500 at Sun.COM> <49DC13DA.10405 at schaufler-ca.com> <20090408051745.GG1500 at Sun.COM>

On Wed, 8 Apr 2009, Nicolas Williams wrote:

> Therein lies the interop problem.  Will SELinux and Solaris TX interop
> with the labeled NFSv4 protocol we're working on?  Evidently: not w/o
> policy agreement (that was Jarret's point, which kick-started this
> thread on the NFSv4 WG list).

I don't know about TX, but it seems possible that someone might want to 
make SELinux with an MLS policy interoperate with a different MLS platform 
(note that this would not apply in the case of interop with purely legacy 
systems, as they won't have NFSv4.x support).  I have no idea how likely 
this scenario is, and I wouldn't try to accommodate this goal in the 
protocol unless a stakeholder could make a solid case for it.

Note that we should expect interoperability between Solaris FMAC and 
SELinux (i.e. the same security model implemented on different platforms, 
like Unix DAC).

- James
-- 
James Morris
<jmorris at namei.org>

Follow-Ups:
- Re: [saag] [nfsv4] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams

References:
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Russ Housley
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Kurt Zeilenga
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Santosh Chokhani
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Kurt Zeilenga
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Santosh Chokhani
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Russ Housley
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams

Prev by Date: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by Date: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Previous by thread: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by thread: Re: [saag] [nfsv4] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.