Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)

Casey Schaufler <> Tue, 07 April 2009 03:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4DF023A6B92 for <>; Mon, 6 Apr 2009 20:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.507
X-Spam-Status: No, score=-2.507 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wvACYOveHRK4 for <>; Mon, 6 Apr 2009 20:03:03 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 987373A6D4E for <>; Mon, 6 Apr 2009 20:03:02 -0700 (PDT)
Received: (qmail 57973 invoked from network); 7 Apr 2009 03:04:08 -0000
Received: from unknown (HELO ? (casey@ with plain) by with SMTP; 7 Apr 2009 03:04:08 -0000
X-YMail-OSG: ueV0.lYVM1nRbR5iB77VFh52zT7_k4d5WStHFc5QIs17tAowvYqD5oYKh20L0NmGMNBJP9PZKOFmGUw2xSeLOoRYZri.eiYUgg_hrW_sDT_UUSIu8m653yJpAtZovTPqllZ.QeTLI4uIQU.OTEJPnla43a6_PB5L6hwnVRFM2GjLRFkEdJVor1uFmU0IZOhDx2Hk942X61e5QPZr148m9OG0Y9uTcsl8GP72C_K8PE8Zcr7G9hmfKOgWfB4YjAyLjDqXj8hPPwkkrxlTCd3efQq0VuHYdDpwPlAEIdo56UdGCt7.
X-Yahoo-Newman-Property: ymail-3
Message-ID: <>
Date: Mon, 06 Apr 2009 20:03:57 -0700
From: Casey Schaufler <>
User-Agent: Thunderbird (Windows/20090302)
MIME-Version: 1.0
To: Russ Housley <>
References: <20090402154402.GM1500@Sun.COM> <> <> <> <> <> <> <20090406151606.GQ1500@Sun.COM> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 07 Apr 2009 11:18:16 -0700
Cc: Nicolas Williams <>,, Kurt Zeilenga <>,,,, Casey Schaufler <>, Santosh Chokhani <>
Subject: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Apr 2009 03:03:10 -0000

Russ Housley wrote:
> ...
> No.  They are two separate concerns.
> Mapping labels between two different policies.  Hopefully this can be 
> avoided altogether in the NFS context.

I don't think so. Two SELinux machines will most likely have different
policies even if they installed from the same media on similar hardware
with similar configurations. If there's any reason for the NFS server
to know anything about the client that impacts policy enforcement the
server has to know enough to make that judgment correctly. If the server
can ignore the client's policy there is no need to send any information.
If the server can't ignore the client's policy it needs to be able to
reconcile the local policy to the remote policy in order to enforce
reasonable policy.

The problem is that the server is using client subject information
to enforce policy based on server object information. If the policies
are similar (e.g. two Bell & LaPadula MLS systems) enforcement is
merely difficult because the two system may have different values for
what means "UNCLASSIFIED". For an SELinux system and an MLS system
to work you've got much more on your hands than matching up category
bits. If you don't do so however you can not make an access control
decision based on the information passed from the other side that can
possibly make sense.

You could decide that the server should enforce server policy and
require that the client enforce client policy and hope that between
the two nothing leaks out that you really care about. I seriously
doubt that's what you want.

So you're back to mapping policies. You have to map policies if you
want either side to do all the work. The mechanisms used to map
labels used by different installations of the same 1990's MLS systems
will not work for SELinux systems installed for different purposes by
disjoint agencies.

I'm not trying to stop progress here. I am simply trying to point out
that choosing a mechanism to implement a facility that won't work in
the end is pretty pointless. Sure the old schemes worked in certain
cases in the olden days. The question is will they work now, and the
answer is obviously "no".