Re: Making forward progress

• Previous message: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• In reply to: Valdis.Kletnieksat_private: "Re: Making forward progress"
• Next in thread: Stephen Smalley: "Re: Making forward progress"
• Next in thread: richard offer: "Re: Making forward progress"
• Reply: Stephen Smalley: "Re: Making forward progress"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* frm Valdis.Kletnieksat_private "08/02/01 14:14:54 -0400" | sed '1,$s/^/* /'
*
* 
* Similarly, we discussed DAC before, but today was the first time I've seen
* the issue of NFSv4 raised in conjunction with it.  Now, unless there are
* clear and obvious reasons to label NFSv4 a DOA technology, we *WILL* have
* to figure out how to make it play well with DAC.

Going back to Linus's opening words :-

>  - true simplicity. "euid == 0" is this. capabilities are an approximation
>    of this, and it turns out that almost nobody even uses capabilities
>    just because they are complex enough to administer that they are of
>    dubious value in many cases. The notion of an extended "suid" bit (with
>    an ELF header of capabilities) has been bandied around for a long time,
>    and the fact is that it would be a total maintenance nightmare. And
>    that's the _simple_ case.
>
>    This is where Linux is now, and this is where we'll remain, unless we
>    get the alternative:
>
>  - truly generic. No "MLS" vs "TE" vs "uid==0" vs "capability" at ALL.
>    Something where the "uid == 0" version of security is just one case
>    (which the embedded people might use), or where SELinux would be just a
>    matter of loading the SELinux module and installing _that_ security
>    model.


I don't think that the current solution really is "truly generic". It can't
support POSIX MAC, embedded systems or POSIX ACLs. And those are things we
know about today. If there are three known, there are likely to be more
unknown.

NFSv4 isn't even on the radar and yet it will be an big issue, probably
bigger than the others, since it will be implemented and deployed outside
of the traditional security community.

* 
* 				Valdis Kletnieks

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: KRAMER,STEVEN (HP-USA,ex1): "RE: Making forward progress"
• Previous message: jmjonesat_private: "Re: The Demise of Simple Assurance?"
• In reply to: Valdis.Kletnieksat_private: "Re: Making forward progress"
• Next in thread: Stephen Smalley: "Re: Making forward progress"
• Next in thread: richard offer: "Re: Making forward progress"
• Reply: Stephen Smalley: "Re: Making forward progress"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 08:21:32 PDT