-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/11/2011 11:20 AM, Russell Coker wrote: > On Mon, 11 Apr 2011, Ramon de Carvalho Valle <rcvalle@xxxxxxxxxxxxxxxxxx> > wrote: >> The SELinux mixed policy can have non hierarchical sensitivities that >> have the same behavior of a categorized only environment. Such >> sensitivities should not be included in the default sensitivity >> hierarchy (i.e. s0 to s15). Thus, all rules for these sensitivities >> should be explicitly stated. This allows creating a unique sensitivity >> for virtual machine environments that is not part of the default >> sensitivity hierarchy. > > One way of doing this is for the sysadmin to assign categories c0.c511 to non- > VM levels and categories c512.c1023 to virtual machines - or any other > partitioning scheme that you might imagine. Another possibility is to have > one category assigned to the sensitivity label for all virtual machines and > another assigned to the sensitivity label for all contexts that aren't used > for VMs. If you have two sensitivity labels that are incomparable then no > data flows between them. Yes, I agree. However, what I am looking for is a standardization of what should be implemented in this type of situation, with an additional level of granularity. > > One of the many ways of using categories would be to assign a discrete pair of > categories to each thing you want to restrict. One possibility I idly > considered some time ago was to use MMCS labels for a build server. Every > package that would be built would be assigned a pair of categories as part of > the sensitivity label, with the default policy build of 1024 categories that > permits about half a million combinations which is more than enough to build > the ~15,000 Debian packages with a different context for each one. Actually, this is what libvirt does with dynamic labeling enabled. However, it currently does not work with MLS policy. > - -- Ramon de Carvalho Valle Security Engineer IBM Linux Technology Center rcvalle@xxxxxxxxxxxxxxxxxx http://rcvalle.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2jObgACgkQkcIYeh81wLm++wCbBZsh2w7fT8ZwNcYfpxyAa0vh BysAnRi6U9mNGYShaqQ4uj2PhhcpFb4e =W/Vj -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
