--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

quoted text
> 
> On Thu, 2008-02-28 at 11:23 -0800, Casey Schaufler wrote:
> ...
> > LSM is not supposed to be only for MAC and it's not supposed
> > to be only for label based schemes. It's supposed to be
> > for additional security restrictions. Providing an interface
> > that should be generally applicable with a name that
> > constrains it to a specific subset of those schemes is wrong.
> 
> Casey, you aren't listening (why am I surprised?).

I think that I am listening, and I appologize for doing
such a poor job of getting my view on the across.

quoted text
> This is an interface to be used by NFS to get information from the
> security module.  The information desired is specific to the MAC
> labeling functionality in NFSv4 that is being proposed.

Do you understand that if the functionality being proposed
is specific to a particular file system it ought to be contained
in that file system, not proposed as a part of the general
purpose interface?

quoted text
> That
> functionality is MAC specific (necessarily so, just like the ACL
> functionality is ACL specific).

The ACL funtionality over NFS could be done using general interfaces,
and there are examples (e.g. Irix) where it has been done. I
understand the rationale for the current implementation while
disagreeing with that rationale. Further, there is a major difference
between ACLs and a legitimate LSM (for MAC or DAC) in that ACLs
are a change to the Linux access control scheme (they interact with
the mode bits) whereas a legitimate LSM is strictly additional
restrictions.

quoted text
> We are hiding the SELinux-specific bits
> behind the LSM interface, and non-MAC LSMs are free to return NULL in
> order to indicate that they don't support MAC labeling.  We do NOT want
> the capability module to return its security blob here, or any other
> non-MAC LSM - it will yield the wrong semantics for the NFS MAC support.

I should hope then that your SELinux specific NFS server should
look at the name presented and treat it appropriately.

quoted text
> In any event, I don't think we need your permission.

You're correct, you don't. You can propose anything you like.
Don't take my criticisms personally, but I think you're wrong
on this one. I don't like to see this unnecessary limitation,
the kind that could haunt the code base for years, when it seems
pretty obvious that it could be better.



Casey Schaufler
casey@schaufler-ca.com
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/