Stephen Smalley wrote:
On Mon, 2009-03-30 at 11:30 -0700, Jarrett Lu wrote:
On 03/30/09 10:37, Stephen Smalley wrote:
On Fri, 2009-03-27 at 11:56 -0700, Jarrett Lu wrote:
Nicolas Williams wrote:
On Fri, Mar 27, 2009 at 10:03:35AM -0700, Jarrett Lu wrote:
I agree with your statements on TE vs. MLS/BLP. The problem we try to
solve is whether a DOI field + an opaque string is sufficient to solve
the interoperability problem. My opinion is that it's insufficient as it
doesn't take the "how to interpret MAC attribute agreement among all
communicating peers" into account. The current proposal seems to assume
when a node sees a DOI value of 5, it knows how to interpret the opaque
field. This may not be true. In MLS, one also needs to know which agreed
upon label encoding file to use in order to interpret label in the
opaque filed. I believe the same is true for TE -- one needs to know the
security policy being used in order to correctly interpret security
context string in the opaque field. DOI + opaque field doesn't say which
label encoding scheme or which security policy.
What would you add or remove on the wire to solve this problem? My
guess: a registry of per-DOI rules, like CALIPSO does. I don't think a
registry of DOI rules is strictly necessary for NFS (though I can see
how it helps in the case of IP), but I certainly don't object.
I don't yet see a good way to solve this problem using bits on the wire.
The agreement on what label encodings or security policy to use seems
better solved in an out of band manner. For example, on a (secure)
website, you can say "download this label encoding file or configure
your MAC system with this policy and use DOI number 5. Then we can talk".
BTW, CALIPSO with IP module has the same issue. While the spec talks a
lot about how a CALIPSO system should behave, CALIPSO can't tell its
peers to use a particular label encoding. That's done outside CALIPSO.
I believe it's still worthwhile to request adding a DOI + an opaque
field in NFSv4 protocol. The spec should be clear that other
arrangements need to be made before interoperability can take place.
Once we decouple DOI from how the opaque field should be interpreted,
it's possible for NFSv4 to use CALIPSO DOI. For example, DOD can reserve
DOI 1000 through 1005. It can then decide that 1000 is only used by MLS
systems with a particular label encoding; and 1004 is for TE systems
configured with a particular secular security policy. As long as all
systems using these DOIs agreeing to that, they can communicate with
each other. But the agreement happens outside NFSv4 protocol itself. I
understand this is different from the public internet where all you need
is an IP address to communicate. But this is how MAC systems are used, I
believe.
I'm not sure if this conflicts with what you are saying, but the DOI
should merely identify the (externally) agreed-upon network label space
for the data to be shared between the communicating systems. That label
space shouldn't need to be identical to the native/host label spaces of
any of the individual systems; they just need to have a way of mapping
between their host label spaces and the network label space identified
by the DOI in a manner that preserves their security goals. The two
systems shouldn't necessarily have to share a label encodings file or
security policy configuration in order to communicate using a given DOI.
As Casey and others pointed out, a lot more information about a
communicating peer is needed in order to be able to translate a label
and other security attributes.
Yes, but the DOI is all that NFSv4 needs to convey in order to identify
that (external) information (i.e. the DOI is the key/identifier by which
the receiving system looks up the right set of translation/mapping
functions for dealing with the network label space associated with the
DOI, where the translation/mapping functions are configured via
information established OOB to NFSv4 itself). Defining precisely how
that external information gets populated is IMHO out of scope for
NFSv4.
That's certainly one option. We can say DOI + an opaque field is what we
will add to NFSv4 protocol. Use the information as you see fit. Going
this route, we basically punt on the label interpretation / translation
problem. I believe this simple DOI + opaque attribute does add value as
it provides an potentially easier way for compatible systems to
communicate label attributes on file objects. I was trying to explore
whether it makes sense to include other information (e.g. OS version,
signature of security policy or label encoding files) to make handling
of label interpretation and translation easier.
People have tried this in 90's. Apparently the solution is no longer
in use today. Maybe we can do something better 15 years later. The
first step is to figure out how much information is needed and then
look into how to get this info across securely. GSS_SEC may be able to
help us. To make NFSv4 work, only TCP is needed. So peer information
is needed per session vs. per packet, I believe. Evidently, there is
more work to do in figuring this all out.
A process related question: Should we move the "design" related
discussion to a smaller alias? I assume most people don't care about
the details and prefer not see this in their email inbox. I set up a
mail alias, doi-discuss@xxxxxxxxxxxxxxx, a few months ago for a
similar discussion. If people think that's a good way to go, I can
provide more info.
Seems like it just becomes one more list that people have to follow to
get the whole picture for labeled NFS.
Continuing on these lists is fine with me. People on these lists
probably have high tolerance on postings that don't care about.
Jarrett
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
