On Friday 23 December 2005 19:23, Arjan van de Ven <arjan@xxxxxxxxxxxxxxx> wrote: > given that even RHEL4 can't get compatibility code.. why go through this > pain in the first place? Is MLS a compelling enough feature for fedora > to go through this pain? Is it even used for something or by someone in > the first place? Firstly the vast majority of Fedora and RHEL users will never use MLS. What they will use is MCS which is based on some of the features of MLS (it's not a sub-set of MLS though). MCS provides some compelling benefits in terms of managing secret data. It allows the administrator to create a set of named "categories" for labelling data. Each user login will have a set of categories (which may be empty) assigned to it from the 256 available categories (we produce binary policies that support 256 categories, the administrator can change this but it's unlikely that they would need to). Every file on disk will have a set of categories (which may be empty). To access a file when running the MCS policy the process must have a set of categories that's a superset of the categories assigned to the file. This provides several features that are not available in any other way. One is that a file can have multiple categories that are all required by every process that may access it. Traditionally this is implemented by supplemental groups and having the file in question and the directory containing it owned by different groups such that one group is required for directory access and another for file access. Another feature that we are still working on is the exact method of determining how categories are granted to processes. I'm working on a patch that makes categories mandatory and permits a process to launch a child process with a subset of it's categories. This permits a process to launch a child with less access than it has (something that a non-root process can't do with traditional Linux access control). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list