On Tue, 2004-11-02 at 09:06, Frank Mayer wrote:
> But my instinct still says that orthogonal, rather than hybrid, TE/MLS would be
> better. I'm trying to read up on the reasons for the design decision but
> perhaps you could explain further the rationale for the dependency (other than
> implementation detail).

MLS requires some way to identify trusted subjects and grant them the necessary privileges to override the BLP restrictions. How would you do it? Conventional approaches include POSIX.1e capabilities (e.g. if the process has the CAP_MAC_WRITE capability, it can write down) or TE (e.g. if the policy contains "allow foo_t bar_t:file mls_writedown;" then a process in "foo_t" can write down to files labeled "bar_t"). Either approach lets you bind MLS privileges to specific programs, but the TE-based approach is clearly finer-grained (per-object) and provides better support for protecting and isolating the trusted subject. We didn't invent this idea, TE has been used in this manner from the beginning IIUC (and we have certainly used it in this manner in research predecessors of SELinux).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.