Hello, Stephen Smalley wrote: > MCS deviates from this scheme by only using the high level and by > requiring the user/application to intentionally label the objects as > desired up to their high level - that is part of what makes it > discretionary. It is okay that the system is discretionary, and I don't question that fact. I question the way labels get assigned *per default*. In comparison to DAC, it would mean that all files are created with an umask of 000 and are required to change the resulting permissions afterwards. You can not expect that every application out there is aware of MCS and/or that every user uses chcat thoroughly on all new files (plus there are issues like text editors making a copy of a file prior to editing). So in other words DAC nature of MCS is okay it is just that there should be some more sensible defaults pointing towards preservation of labels on objects in their respective containers. The unix setgid bit can do that on directories, as do default ACLs, both being mechanisms of DAC. Secondly I don't see why a user is not able to discretionarily specify his range outright when going via ssh just as he can with roles. > Perhaps you ought to use MLS instead. Or just use TE and define domains > and types for these processes and files. No. MLS is about strict ordering 0 < 1 < 2 ... I just want a partially ordered set. I want compartments, not sensitivities. MCS and MLS are orthogonal, at least by their theoretical properties (and SELinux MCS strongly resembles the theory in practice). And TE? Almost any of these models can be simulated by TE, given types are granular enough, but I don't want the number of types be a quadratic function of compartments plus the hassle associated with that. With regards, Michal Svoboda
Attachment:
pgptqbeJ1qUtP.pgp
Description: PGP signature
