On Fri, 2004-06-04 at 04:03, Russell Coker wrote: > On Fri, 4 Jun 2004 05:57, Luke Kenneth Casson Leighton <lkcl@xxxxxxxx> wrote: > > all in the same single monolithic daemon that bound itself > > to several different ports and several different unix domain > > sockets, you wouldn't seriously consider saying that "this > > hybrid is a trusted application" would you? > > "trusted" in this context does not mean "the code is great and we can totally > trust it", but rather "due to the design of the system we have no choice but > to trust it as it can totally break the security if it has a problem". Further point of clarification: It only has to be trusted to maintain separation of data for the security contexts it is allowed to access, e.g. it might be allowed to access data from multiple user roles and maintain their separation without being allowed to access administrator or system files. So the trust is not absolute; the OS is still enforcing some degree of confinement over the application. I think Frank Mayer of Tresys has previously suggested using "trustworthy" vs. "trusted" to distinguish the cases noted by Russell. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency