On Mon, Apr 06, 2009 at 08:03:57PM -0700, Casey Schaufler wrote: > I don't think so. Two SELinux machines will most likely have different > policies even if they installed from the same media on similar hardware > with similar configurations. If there's any reason for the NFS server > to know anything about the client that impacts policy enforcement the > server has to know enough to make that judgment correctly. If the server > can ignore the client's policy there is no need to send any information. > If the server can't ignore the client's policy it needs to be able to > reconcile the local policy to the remote policy in order to enforce > reasonable policy.
We can have label-aware servers with non-label-aware protocols. But that's too constraining: it means clients have to be at a single label or otherwise communicate labels by convention (e.g., data location). It also means that interfaces to labeling will be proprietary. We can have non-label-aware server, non-label-aware protocols, and label aware clients, trusting the clients to enforce a common policy. But this too is too constraining: a) it forces one to associate labels with document _location_, b) it forces one to trust the clients too much. We need multi-level clients, since many users will have a range of clearances, not just a single one (and they need a trusted desktop). Given the above then we need label-aware servers and label-aware protocols so as to support for multi-level clients (with clients trusted to within a range of labels associated with clients' and users' authenticated identities and other authorization information). Even before putting labels on the wire we'd have a security policy management issue since storage can span many servers. With labels appearing on the wire (in IP headers, in application protocols, in PKIX certificate extensions and Kerberos V authorization- data, ...) we simply cannot avoid the need to express common security policies. We also cannot force everything and everyone to operate in a single DOI. And we cannot avoid the need to classify the security policies themselves, including varying classification for different subsets of the policies. IMO that means that we need something like SPIF, including: - a generic security policy data model/syntax - an interoperable encoding of security policies - a method by which two peers can detect and agree that they know a given common subset of a common security policy - label equivalencies The last item is the least critical -- we can deal with that later. > So you're back to mapping policies. You have to map policies if you > want either side to do all the work. The mechanisms used to map Yes. > labels used by different installations of the same 1990's MLS systems > will not work for SELinux systems installed for different purposes by > disjoint agencies. That's fine, unless you want them to interop and you can establish equivalencies. And provided SELinux can deal -- but that's less important because if it's just a small matter of programming (i.e., we have specs to code to or know what to code that we can write specs from) then it's just a matter of time. So we need to know whether solutions in this space are technically feasible. I believe they are. (We also need to know whether they are politically feasible, but here I think we'll find that they are politically required :) > I'm not trying to stop progress here. I am simply trying to point out > that choosing a mechanism to implement a facility that won't work in > the end is pretty pointless. Sure the old schemes worked in certain No one is knowingly proposing a mechanism that won't work so far as I can tell. > cases in the olden days. The question is will they work now, and the > answer is obviously "no".
