Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Tue, Apr 07, 2009 at 08:02:50PM -0700, Casey Schaufler wrote:
> Wow.
> 
> Before I go too far, how familiar are you with MLS, SELinux, or Smack?

I'm familiar with Solaris TX (which is MLS).  I'm also familiar with the
OpenSolaris community that is trying to extend the TX model to include
DTE.  I don't know much at all about SELinux or Smack.

I think common security policies for MLS are within reach.  DTE... not
so much.  Some subsets of specific DTE policies, probably on a
per-application basis, should be.

> All three provide general security policy models (Opinions vary on MLS)
> but none would lend themselves as a "generic" model. MLS is strictly
> oriented toward sensitivity, SELinux depends on the programs installed
> on the machine, and Smack uses no syntax in its labels at all. An
> interoperable encoding of policies might be possible for very limited
> policies. I suggest that mapping any other policy to the SELinux
> reference policy is beyond the state of the art, and I welcome an
> informed argument that proves me wrong. Two peers negotiating a

IIUC it should be possible to generate SELinux policies from generic
ones, but not the reverse.  If so then that provides a path to
interoperable deployment, though it would mean sacrificing some
flexibility.  Can you clarify my understanding?

> policy subset? How does that help? Regarding the notion that the issue
> of label equivalences is "least critical", I don't see how you can
> claim to have successfully addressed any of the other bullet items
> without it.

Why send data at some label to a peer who doesn't understand what that
label is?

As for label equivalencies I was referring to the example cited earlier
of multiple agencies with different MLS policies needing to communicate.
To clarify: by "less critical" I meant that we could solve the
equivalency problem later (provided we don't paint ourselves into any
corners).

> You're busy stocking the nursery and you haven't kissed the girl yet.

Thanks.

> If the information from the client is meaningless to the server the
> server can not use it to make an access control decision. Same goes
> the other way. With Smack I can assert that the label space for the

Therein lies the interop problem.  Will SELinux and Solaris TX interop
with the labeled NFSv4 protocol we're working on?  Evidently: not w/o
policy agreement (that was Jarret's point, which kick-started this
thread on the NFSv4 WG list).

> client and server are the same and that it's OK if they use the labels
> passed around even if their rule sets differ. I know a good number of
> people who would find such an assertion dangerous, maybe even
> criminal. Label representations are meaningless without the policy

So you're saying that a) "a good number of people" think a solution is
needed that allows the client and server to each know with certainty
that the other will understand their labels, b) you're among those
people (?), but c) no solution is feasible.  Correct?

So close up shop, forget interop?  Or did I misunderstand you?  What is
the message that you're imparting here?  I get the impression that it's
"you can't solve this problem" and "I know what I'm doing" (and "you
don't") but you're not telling us what it is that is.  Is what you
really mean "forget labeled protocol interop"?  Please clarify.

> behind them and mapping policies is hard enough that you could probably
> get a PHD from a reputable institution by measuring just how hard it
> is.

I'm not interested in a PhD.  I'm interested in solutions.  SPIF is
evidence that it's been tried.  But I know little about how successful
SPIF has been.

Nico
--