On Mon, 2004-11-01 at 13:28, Chad Hanson wrote:
> Let me try to give some background.
>
> The ability for a process to perform actions at multiple MLS labels exists
> whether dynamic transitions exist or not. Privilege bracketing does limit
> the use and permits removal of the ability from the process.
>
> MLS level transitions will need to be controlled via new permissions on the
> process class (mls_upgrade and mls_downgrade). Similar permissions will be
> implemented for objects. Most processes will not have the ability to alter
> their MLS level (just as most will not be able to alter their domain). For
> processes that have the ability to alter their mls level, they will need to
> be
> regarded as having access to all levels of information within the process'
> clearance.
>
> I would assume this would along the lines of the trusted reader/writer
> concept. THe app is bounded to an MLS range. Instead of a process being
> ranged and running at unclass-confidential, it is bounded by confidential
> and effectively is running at either unclassfied or confidential and able to
> transition between the two levels.

I think I would need to see your MLS implementation to fully assess the implications, but I'm not clear as to why this requires changing levels dynamically vs. just giving the process the capability to write down while remaining at a single level. Also, I'd be a bit concerned about what happens while the process is running at the lower level, e.g. attempted access by untrusted processes running at that lower level.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.