On Thu, May 17, 2012 at 11:31 AM, david caplan <dac@xxxxxxxxxx> wrote: > On 5/17/2012 10:42 AM, Paul Moore wrote: >> On Thu, May 17, 2012 at 10:06 AM, david caplan <dac@xxxxxxxxxx> wrote: >>> On 5/15/2012 2:45 PM, Paul Moore wrote: >>>> On Tuesday, May 15, 2012 11:46:27 AM Christopher J. PeBenito wrote: >>>>> On 05/15/12 11:04, Paul Moore wrote: >>>>>> On Tuesday, May 15, 2012 10:47:25 AM Christopher J. PeBenito wrote: >>>>>>> On 05/15/12 10:13, Paul Moore wrote: >>>>>>>> See my earlier comments in this thread about being able to verify the >>>>>>>> correctness of the secmark labels. This has always been my core concern >>>>>>>> with your argument: you are concerned about the ability for policy to >>>>>>>> control network traffic labeled via secmark, but you seem to ignore the >>>>>>>> issue that there is no mechanism to verify the correctness of the >>>>>>>> secmark labels. Making strong guarantees about the ability to enforce a >>>>>>>> given policy without any assurance that the labels are correct seems a >>>>>>>> bit silly to me. >>>>>>> >>>>>>> Believe me, as a policy person, I'd never ignore labeling correctness. I >>>>>>> don't think SECMARK rule correctness has anything to do with this >>>>>>> discussion, as this is about the mechanism/enforcement itself. >>>>>> >>>>>> Perhaps I'm reading the two sentences above wrong, perhaps I'm thinking >>>>>> about it wrong, or perhaps you didn't write them as intended; but the two >>>>>> sentences above seem to contradict each other in my mind. I just don't >>>>>> see how you can have enforcement via labels without correct application >>>>>> of the labels themselves. >>>>> >>>>> Of course for a system to work right you need correct enforcement, correct >>>>> policy, and correct labeling. My whole argument is about the enforcement. >>>>> If you have correct labeling and correct policy but wrong enforcement, its >>>>> still incorrect. I'm only trying to argue on the enforcement; label >>>>> correctness is important, just not for this discussion. >>>> >>>> My argument is that worrying about enforcement without demonstrating you've >>>> solved the labeling issue is pointless. It is my opinion that the labels have >>>> to be correct before you can perform any worthwhile enforcement. >>> >>> I agree that worthwhile enforcement requires correct labels but I'm not >>> following how that relates to having a complete non-bypassable >>> mechanism. >> >> Either way the security policy isn't enforced correctly. > > No, if there is no enforcement mechanism then the policy is 100% not > enforced. If there is an enforcement mechanism then there is some chance > that it is enforced correctly. Either way you have no guarantee that the policy is enforced correctly. -- paul moore www.paul-moore.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
