On Fri, 2009-03-27 at 08:55 -0400, Stephen Smalley wrote: > On Thu, 2009-03-26 at 19:11 -0500, Nicolas Williams wrote: > > On Thu, Mar 26, 2009 at 03:03:00PM -0700, Jarrett Lu wrote: > > > CALIPSO spec doesn't tie a DOI with a particular label encoding. For > > > > CALIPSO is very specific about label domination -- that means that > > having any application protocol w/ labeling above IP requires that we be > > able to determine whether an application-level label is dominated by a > > CALIPSO label, and the rules given are MLS with Bell-LaPadula. > > > > Perhaps that does not mean that we must adopt MLS and Bell-LaPadula at > > the application layer, but it certainly seems like the easiest path, > > particularly if we can also represent DTE that way. > > You can't represent Type Enforcement via MLS/BLP; TE is strictly more > expressive than BLP, not the other way around. It also has no inherent > notion of dominance; the access matrix is explicitly defined and may > include intransitive relationships, which are required for integrity > goals and guaranteed invocation. Also, in the case of SELinux and FMAC, the security context is more than just a domain/type; it contains all of the security attributes relevant to the security policy model, which in the case of the example security server includes a user identity, a role, a domain/type, and a MLS range (optionally just a single MLS level in the degenerate case where low == high). But as far as the protocols are concerned, the entire security context is just an opaque string. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
