Re: questions...

[Casey Schaufler <casey@sgi.com>]

Stephen Smalley wrote:
> 
> On Thu, 22 Feb 2001, Casey Schaufler wrote:
> 
> > I guess I'm a little slow today. How would having MAC access
> > superceding DAC access be anything like the capabilities scheme?
> 
> See Spence Minear's paper at
> http://www.bsdcon.org/proceedings/spencer_minear/example_of_secure_bsd_os.ps
> for a discussion of the parallels between Type Enforcement and POSIX.1e
> capabilities.  In the DTOS system, Type Enforcement was used both
> to identify subjects that could override MLS restrictions and to
> identify subjects that could override Unix DAC restrictions.  At the
> same time, Type Enforcement was used to strictly limit such subjects
> to least privilege.  Their ability to override such restrictions
> could be limited to a particular set of objects since the rules
> are based on domain-type pairs.

OKay, I get it now. I keep forgetting that you're replacing
the entire access control scheme.

A claim that MAC affects DAC like Capabilities gives me
a certain amount of discomfort. Tranditionally, You gots
yer DAC, you gots yer MAC, and you gots yer Capabilities
and you could remove any one without changing the behavior
of the others. This is the way it's speced in the POSIX1e
scheme, and the way it's implemented in Irix. To quote
an old co-worker, "the mixed metaphore never boils".
To provide interactions between a DAC policy and a MAC
policy may be useful, but it's neither fish nor fowl
at that point. If you are going to have a policy which
is based on a label and on a user id you may have
something good, but you ain't got a [DM]AC policy.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.