On Thu, May 17, 2012 at 10:06 AM, david caplan <dac@xxxxxxxxxx> wrote: > On 5/15/2012 2:45 PM, Paul Moore wrote: >> On Tuesday, May 15, 2012 11:46:27 AM Christopher J. PeBenito wrote: >>> On 05/15/12 11:04, Paul Moore wrote: >>>> On Tuesday, May 15, 2012 10:47:25 AM Christopher J. PeBenito wrote: >>>>> On 05/15/12 10:13, Paul Moore wrote: >>>>>> See my earlier comments in this thread about being able to verify the >>>>>> correctness of the secmark labels. This has always been my core concern >>>>>> with your argument: you are concerned about the ability for policy to >>>>>> control network traffic labeled via secmark, but you seem to ignore the >>>>>> issue that there is no mechanism to verify the correctness of the >>>>>> secmark labels. Making strong guarantees about the ability to enforce a >>>>>> given policy without any assurance that the labels are correct seems a >>>>>> bit silly to me. >>>>> >>>>> Believe me, as a policy person, I'd never ignore labeling correctness. I >>>>> don't think SECMARK rule correctness has anything to do with this >>>>> discussion, as this is about the mechanism/enforcement itself. >>>> >>>> Perhaps I'm reading the two sentences above wrong, perhaps I'm thinking >>>> about it wrong, or perhaps you didn't write them as intended; but the two >>>> sentences above seem to contradict each other in my mind. I just don't >>>> see how you can have enforcement via labels without correct application >>>> of the labels themselves. >>> >>> Of course for a system to work right you need correct enforcement, correct >>> policy, and correct labeling. My whole argument is about the enforcement. >>> If you have correct labeling and correct policy but wrong enforcement, its >>> still incorrect. I'm only trying to argue on the enforcement; label >>> correctness is important, just not for this discussion. >> >> My argument is that worrying about enforcement without demonstrating you've >> solved the labeling issue is pointless. It is my opinion that the labels have >> to be correct before you can perform any worthwhile enforcement. > > I agree that worthwhile enforcement requires correct labels but I'm not > following how that relates to having a complete non-bypassable > mechanism. Either way the security policy isn't enforced correctly. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
