Stephen Smalley wrote: >> ... >> >> - For DTE I've no idea what to do. Policy agreement seems like a >> flight of fancy for DTE. But *much* more importantly, because the >> process label transitions can span so many labels we simply cannot >> have too smart a server: the server can't meaningfully constrain the >> labels that a user@client can assert, therefore the server must trust >> all client assertions of process DTE labels or none at all. >> >> I.e., for DTE we can only have "dumb" servers. >> > > Why? While it is certainly true that a given client may be authorized > to assert numerous discrete domains, that does not mean that a server > cannot limit a client to a specific set of domains. That can be modeled > via a permission check on a label pair and security class, just like > everything else. > I think that the point is that for that to be interesting you need to have a significant number of subject-label/object-label/class triples from the client available on the server. Additionally, it assumes that the object label available to the server is in fact the label from that client, not the server, and not a different client. Unless you can map the object label on the file, wherever it originated, to a label that is appropriate to the client's policy. And heaven forbid that the client that "owns" the label on the file should change it's policy and reboot. Now what you have is at best no mapping, and at worst a mapping that reflects the old, no longer considered "secure" policy. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
