[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)

From: James Morris <jmorris at namei.org>
To: Nicolas Williams <Nicolas.Williams at sun.com>
Cc: labeled-nfs at linux-nfs.org, Kurt Zeilenga <Kurt.Zeilenga at Isode.com>, nfsv4 at ietf.org, saag at ietf.org, nfs-discuss at opensolaris.org, Casey Schaufler <casey at schaufler-ca.com>, Santosh Chokhani <SChokhani at cygnacom.com>
Date: Thu, 9 Apr 2009 09:26:28 +1000 (EST)
In-reply-to: <20090408211209.GS1500 at Sun.COM>
References: <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE0 at scygexch1.cygnacom.com> <B8FB99E8-17AA-4D4B-A309-8AF79838A304 at Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE9 at scygexch1.cygnacom.com> <20090406151606.GQ1500 at Sun.COM> <20090406180424.BA7AC9A4749 at odin.smetech.net> <49DAC29D.6030902 at schaufler-ca.com> <20090407164420.GW1500 at Sun.COM> <49DC13DA.10405 at schaufler-ca.com> <20090408051745.GG1500 at Sun.COM> <49DCCC94.80501 at schaufler-ca.com> <20090408211209.GS1500 at Sun.COM>

On Wed, 8 Apr 2009, Nicolas Williams wrote:

> > In some ways Smack is even worse. The Smack label contains no
> > actual information, it is just a character string and the access
> > control is left completely up to the access control rules specified
> > on the system. A Smack label from Etienne's system has no intrinsic
> > value on Casey's and give no hint as to how it should be interpreted
> > or enforced.
> 
> Ouch.

It's not a new problem.  On a standard DAC Unix system, what does 'admin' 
mean as the owner of a file?

The reason why labeling protocols were so simple for MLS was that the 
security policy was fixed.  This is also why MLS is useless for most 
people and why we now have TE.

- James
-- 
James Morris
<jmorris at namei.org>

References:
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Santosh Chokhani
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Kurt Zeilenga
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Santosh Chokhani
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Russ Housley
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams

Prev by Date: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by Date: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Previous by thread: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by thread: [saag] Fwd: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.