Re: Making forward progress

From: Stephen Smalley (sdsat_private)
Date: Fri Aug 03 2001 - 09:56:05 PDT

  • Next message: Stephen Smalley: "Re: Making forward progress"

    On Fri, 3 Aug 2001 Valdis.Kletnieksat_private wrote:
    > Are you prepared to tell the customers down the road "You can use NFSv4,
    > or you can use LSM, but you can't get LSM support for securing NFSv4 because
    > the LSM folks thought NFSv4 was clearly out of scope?"
    I suppose I wasn't clear.  A security module can use LSM to enforce
    additional access controls on NFS file systems in the same manner as for
    other file systems - using the existing hooks in the VFS layer.  My
    point is that LSM shouldn't try to solve NFSv4's DAC problems.  That
    is out of our scope.
    > If NFSv4 is *clearly* out of scope, I'll propose that the networking hooks
    > are out of scope too.  After all, anybody who cares about security doesn't
    > hook their boxes up to the wire, right? ;)
    That doesn't follow.  LSM provides hooks to control access to the
    various kernel objects (files, sockets, network interfaces, etc).
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 09:57:31 PDT