From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Jarrett Lu <Jarrett.Lu@sun.com>,
selinux@tycho.nsa.gov, labeled-nfs@linux-nfs.org,
nfs-discuss@opensolaris.org, nfsv4@ietf.org
Subject: Re: [Labeled-nfs] [nfsv4] New MAC label support Internet Draft posted to IETF website
Date: Mon, 30 Mar 2009 15:05:06 -0500 [thread overview]
Message-ID: <20090330200505.GE9992@Sun.COM> (raw)
In-Reply-To: <1238431908.2484.42.camel@localhost.localdomain>
On Mon, Mar 30, 2009 at 12:51:48PM -0400, Stephen Smalley wrote:
> On Fri, 2009-03-27 at 17:09 -0500, Nicolas Williams wrote:
> > On Fri, Mar 27, 2009 at 09:22:42AM -0400, Stephen Smalley wrote:
> > > On Fri, 2009-03-27 at 08:55 -0400, Stephen Smalley wrote:
> > > > You can't represent Type Enforcement via MLS/BLP; TE is strictly more
> > > > expressive than BLP, not the other way around. It also has no inherent
> > > > notion of dominance; the access matrix is explicitly defined and may
> > > > include intransitive relationships, which are required for integrity
> > > > goals and guaranteed invocation.
> >
> > I thought that MLS compartment -> DTE type. Is that not the case? I
> > realize that DTE does not have an inherent notion of dominance, but for
> > _documents_ (as opposed to operating system- or application-specific
> > files like /etc/shadow) there surely must be a way to establish
> > dominance, no? That seems important to me.
>
> No, there just needs to be a way to establish authorization. The
> internal logic for determining whether data of a given label is allowed
> to transit over a network interface of a given label is policy-specific
> and shouldn't be limited to the dominance relation. It can just be
> represented as a permission check on a label pair for a given object
> class, and then the security policy logic can internally decide yes/no
> on that permission based on any combination of the dominance relation,
> the TE access matrix, or any other policy constraints.
OK, good -- that's a local-to-end-points consideration, so we can keep
the use of DTE at the end-to-end application layer and CALIPSO at the IP
layer compatible.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-03-30 20:05 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-22 19:16 New MAC label support Internet Draft posted to IETF website David P. Quigley
[not found] ` <54E18340-3542-4AB4-843E-E92A67B709A7@storspeed.com>
2009-01-23 17:47 ` [nfsv4] " Peter Staubach
2009-01-23 21:59 ` Glenn Faden
2009-01-23 19:07 ` [Labeled-nfs] " Kevin L. Smith
[not found] ` <33B70CB9-5260-419A-98CF-94847F829570@nokia.com>
2009-01-28 1:17 ` Jarrett Lu
2009-02-09 22:24 ` Peter Staubach
2009-02-11 23:47 ` David P. Quigley
2009-02-12 1:07 ` [Labeled-nfs] " James Morris
2009-02-12 15:36 ` [nfsv4] " Nicolas Williams
2009-02-12 20:00 ` David P. Quigley
2009-02-12 20:11 ` Nicolas Williams
2009-02-17 16:50 ` David P. Quigley
2009-02-17 17:00 ` Nicolas Williams
2009-02-12 19:45 ` David P. Quigley
2009-02-12 15:22 ` [nfsv4] " Nicolas Williams
2009-03-12 16:08 ` David P. Quigley
2009-03-12 17:20 ` Peter Staubach
2009-03-25 8:52 ` Jarrett Lu
2009-03-25 16:33 ` [nfsv4] " Nicolas Williams
2009-03-26 9:25 ` Jarrett Lu
2009-03-26 15:09 ` Nicolas Williams
2009-03-26 22:03 ` Jarrett Lu
2009-03-27 0:11 ` Nicolas Williams
2009-03-27 12:55 ` [Labeled-nfs] " Stephen Smalley
2009-03-27 13:22 ` Stephen Smalley
2009-03-27 17:03 ` Jarrett Lu
2009-03-27 17:26 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-03-27 18:56 ` Jarrett Lu
2009-03-27 22:04 ` Nicolas Williams
2009-03-30 17:37 ` Stephen Smalley
2009-03-30 18:30 ` Jarrett Lu
2009-03-30 20:01 ` Nicolas Williams
2009-03-30 20:03 ` Nicolas Williams
2009-03-30 21:14 ` Stephen Smalley
2009-03-31 5:59 ` Jarrett Lu
2009-03-31 18:28 ` Nicolas Williams
2009-04-01 3:33 ` Jarrett Lu
2009-04-01 6:58 ` [Labeled-nfs] [nfsv4] " James Morris
2009-04-01 8:09 ` Jarrett Lu
2009-04-01 9:49 ` James Morris
2009-04-01 17:50 ` [nfsv4] [Labeled-nfs] " Nicolas Williams
2009-04-02 23:43 ` Jarrett Lu
2009-03-31 3:07 ` Casey Schaufler
2009-03-31 14:47 ` Paul Moore
2009-04-01 7:46 ` Jarrett Lu
2009-04-01 16:46 ` Paul Moore
2009-04-02 15:24 ` Nicolas Williams
2009-04-02 22:35 ` Paul Moore
2009-04-03 4:42 ` Nicolas Williams
2009-04-03 18:08 ` Joy Latten
2009-04-03 1:21 ` Jarrett Lu
2009-04-07 21:30 ` Paul Moore
2009-03-31 18:34 ` Nicolas Williams
2009-04-01 3:42 ` Casey Schaufler
2009-03-28 3:33 ` [Labeled-nfs] [nfsv4] " Casey Schaufler
2009-03-28 5:16 ` Glenn Faden
2009-03-28 5:52 ` Casey Schaufler
2009-03-27 22:09 ` Nicolas Williams
2009-03-30 16:51 ` Stephen Smalley
2009-03-30 20:05 ` Nicolas Williams [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090330200505.GE9992@Sun.COM \
--to=nicolas.williams@sun.com \
--cc=Jarrett.Lu@sun.com \
--cc=labeled-nfs@linux-nfs.org \
--cc=nfs-discuss@opensolaris.org \
--cc=nfsv4@ietf.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.