Hello,

Stephen Smalley wrote:
> MCS deviates from this scheme by only using the high level and by
> requiring the user/application to intentionally label the objects as
> desired up to their high level - that is part of what makes it
> discretionary.

It is okay that the system is discretionary, and I don't question that
fact. I question the way labels get assigned *per default*. In
comparison to DAC, it would mean that all files are created with an 
umask of 000 and are required to change the resulting permissions
afterwards. You can not expect that every application out there is
aware of MCS and/or that every user uses chcat thoroughly on all new
files (plus there are issues like text editors making a copy of a file
prior to editing).

So in other words DAC nature of MCS is okay it is just that there should
be some more sensible defaults pointing towards preservation of labels
on objects in their respective containers. The unix setgid bit can do
that on directories, as do default ACLs, both being mechanisms of DAC.

Secondly I don't see why a user is not able to discretionarily specify
his range outright when going via ssh just as he can with roles. 

> Perhaps you ought to use MLS instead.  Or just use TE and define domains
> and types for these processes and files.

No. MLS is about strict ordering 0 < 1 < 2 ... I just want a partially
ordered set. I want compartments, not sensitivities. MCS and MLS are
orthogonal, at least by their theoretical properties (and SELinux MCS
strongly resembles the theory in practice).

And TE? Almost any of these models can be simulated by TE, given types
are granular enough, but I don't want the number of types be a quadratic
function of compartments plus the hassle associated with that.

With regards,
Michal Svoboda