Return-Path: linux-nfs-owner@vger.kernel.org Received: from countercultured.net ([209.51.175.25]:37054 "HELO countercultured.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S933372Ab2K3Q7O (ORCPT ); Fri, 30 Nov 2012 11:59:14 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Date: Fri, 30 Nov 2012 11:59:12 -0500 From: David Quigley To: "J. Bruce Fields" Cc: Stephen Smalley , Casey Schaufler , , , , Subject: Re: Labeled NFS [v5] In-Reply-To: <20121130165544.GF614@fieldses.org> References: <50B7FEFB.30109@schaufler-ca.com> <579e850139bd3d5a0c9155270d5d9fbe@countercultured.net> <50B810D2.2000401@schaufler-ca.com> <3ea3f70e0a5cdb99f1594019b7bd619d@countercultured.net> <20121130121437.GC614@fieldses.org> <607a8005d6c33a19c53b5ede29d81ef5@countercultured.net> <5170c3bd8900c36b372217af96e5e764@countercultured.net> <50B8B47F.5050206@tycho.nsa.gov> <50B8B9BF.7000802@tycho.nsa.gov> <20121130165544.GF614@fieldses.org> Message-ID: Sender: linux-nfs-owner@vger.kernel.org List-ID: On 11/30/2012 11:55, J. Bruce Fields wrote: > On Fri, Nov 30, 2012 at 08:50:55AM -0500, Stephen Smalley wrote: >> On the SELinux side, we don't require CAP_MAC_ADMIN to set the >> SELinux attribute on a file in the normal case, only when the >> SELinux attribute is not known to the security policy yet. So >> granting CAP_MAC_ADMIN there means that a client will be able to set >> security contexts on files that are unknown to the server. I guess >> that might even be desirable in some instances where client and >> server policy are different. > > Note (as you probably know) this first pass at labeled NFS only lets > us > label files, not rpc calls--if we want the server to know who's doing > something (beyond the information the rpc headers already carry), > we'll > need to implement rpcsec_gss v3, and that's a project for another > day. > > I've been assuming that makes server-side enforcement less useful for > now. > > --b. Ideally what will happen is that when we get RPCSECGSSv3 in we'll set the security context in the same place that we set uid and gid for the process in the auth code. Until then you're right server side enforcement really isn't possible because we have whatever context the kernel gives to the thread being our security context. In the SELinux case this is the all powerful kernel_t in the smack case its the floor context. Dave