SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: dynamic context transitions This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Maybe in reply to ] [ Next in thread ] From: Chad Hanson <chanson_at_TrustedCS.com> Date: Mon, 1 Nov 2004 09:11:00 -0500 > > On Sun, 2004-10-31 at 17:47, Frank Mayer wrote: > > > The MLS model is another reason for this functionality. We have > > > chosen to create MLS policy overrides using a new SELinux MLS > > > capability class. > > > > I have not thought greatly about this choice, but I wonder > if it was wise to > > make the MLS mechanism dependent on the capability > mechanism. Orthogonal > > mechanisms would seem smarter. > > Point of clarification: These MLS capabilities only exist as TE > abstractions, not as part of the Linux capabilities logic, > IIUC. Using > TE to control MLS privileges is desirable. > This is correct. We believe the the existing capabilities logic shouldn't be extended and thus added a new TE class for MLS override logic. These "MLS capabilities" only affect MLS policy decisions. In our desired implementation, SELinux would abritrate all capability decisions and obsolete the capability module. > > Ah and here we have the beginning of the slippery slope. > This might be easy in > > terms of lines of code, but the conceptual complexity of > what you describe above > > scares me. I still wonder why we have to change TE to > support a MLS convention. > > I'd much rather you did not make these mechanisms dependent > on each other. > > TE was originally developed to fill in the gaps of MLS, including > privilege management for trusted subjects. Using TE to control MLS > privileges is a good thing. Whether or not privilege bracketing is a > good thing is more open to debate, although it is clearly > entrenched in > applications today, and not just MLS applications; the prior requests > for such a feature have been to support traditional Unix applications > that presently use seteuid/setfsuid. > IMHO the combination of MLS and TE is next step in increasing the security of solutions. Existing MLS applications and systems have weaknesses. Using TE to model a complex MLS scenario is not a good idea. The combination of the two technologies create the strongest foundation. -Chad Chad Hanson Senior Secure Systems Engineer Trusted Computer Solutions 121 W Goose Alley Urbana, IL 61801 www.TrustedCS.com V: 217.384.0028 ext.12 F: 217.384.0288 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 1 Nov 2004 - 09:10:43 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: dynamic context transitions" Previous message: Luke Kenneth Casson Leighton: "Re: dynamic context transitions" Maybe in reply to: Luke Kenneth Casson Leighton: "dynamic context transitions" Next in thread: Chad Hanson: "RE: dynamic context transitions" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom