SPIF has been successfully implemented and used. > -----Original Message----- > From: Nicolas Williams [mailto:Nicolas.Williams at sun.com] > Sent: Wednesday, April 08, 2009 1:18 AM > To: Casey Schaufler > Cc: Russ Housley; Santosh Chokhani; saag at ietf.org; > labeled-nfs at linux-nfs.org; Kurt Zeilenga; > nfs-discuss at opensolaris.org; nfsv4 at ietf.org > Subject: Re: [Labeled-nfs] [saag] Common labeled security > (comment on CALIPSO, labeled NFSv4) > > On Tue, Apr 07, 2009 at 08:02:50PM -0700, Casey Schaufler wrote: > > Wow. > > > > Before I go too far, how familiar are you with MLS, > SELinux, or Smack? > > I'm familiar with Solaris TX (which is MLS). I'm also > familiar with the OpenSolaris community that is trying to > extend the TX model to include DTE. I don't know much at all > about SELinux or Smack. > > I think common security policies for MLS are within reach. > DTE... not so much. Some subsets of specific DTE policies, > probably on a per-application basis, should be. > > > All three provide general security policy models (Opinions vary on > > MLS) but none would lend themselves as a "generic" model. MLS is > > strictly oriented toward sensitivity, SELinux depends on > the programs > > installed on the machine, and Smack uses no syntax in its labels at > > all. An interoperable encoding of policies might be > possible for very > > limited policies. I suggest that mapping any other policy to the > > SELinux reference policy is beyond the state of the art, > and I welcome > > an informed argument that proves me wrong. Two peers negotiating a > > IIUC it should be possible to generate SELinux policies from > generic ones, but not the reverse. If so then that provides > a path to interoperable deployment, though it would mean > sacrificing some flexibility. Can you clarify my understanding? > > > policy subset? How does that help? Regarding the notion > that the issue > > of label equivalences is "least critical", I don't see how you can > > claim to have successfully addressed any of the other bullet items > > without it. > > Why send data at some label to a peer who doesn't understand > what that label is? > > As for label equivalencies I was referring to the example > cited earlier of multiple agencies with different MLS > policies needing to communicate. > To clarify: by "less critical" I meant that we could solve > the equivalency problem later (provided we don't paint > ourselves into any corners). > > > You're busy stocking the nursery and you haven't kissed the > girl yet. > > Thanks. > > > If the information from the client is meaningless to the server the > > server can not use it to make an access control decision. Same goes > > the other way. With Smack I can assert that the label space for the > > Therein lies the interop problem. Will SELinux and Solaris > TX interop with the labeled NFSv4 protocol we're working on? > Evidently: not w/o policy agreement (that was Jarret's point, > which kick-started this thread on the NFSv4 WG list). > > > client and server are the same and that it's OK if they use > the labels > > passed around even if their rule sets differ. I know a good > number of > > people who would find such an assertion dangerous, maybe even > > criminal. Label representations are meaningless without the policy > > So you're saying that a) "a good number of people" think a > solution is needed that allows the client and server to each > know with certainty that the other will understand their > labels, b) you're among those people (?), but c) no solution > is feasible. Correct? > > So close up shop, forget interop? Or did I misunderstand > you? What is the message that you're imparting here? I get > the impression that it's "you can't solve this problem" and > "I know what I'm doing" (and "you > don't") but you're not telling us what it is that is. Is > what you really mean "forget labeled protocol interop"? > Please clarify. > > > behind them and mapping policies is hard enough that you could > > probably get a PHD from a reputable institution by > measuring just how > > hard it is. > > I'm not interested in a PhD. I'm interested in solutions. > SPIF is evidence that it's been tried. But I know little > about how successful SPIF has been. > > Nico > -- >
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.