From: Casey Schaufler <casey@sgi.com>
To: selinux@tycho.nsa.gov
Subject: Re: questions...
Date: Mon, 26 Feb 2001 10:00:17 -0800 [thread overview]
Message-ID: <3A9A99B1.D4DADBB8@sgi.com> (raw)
In-Reply-To: 200102232049.PAA11442@coalstack.epoch.ncsc.mil
Pete Loscocco wrote:
> If the modifications to SELinux to allow selective override of DAC (or
> any other capability that Linux currently has) that were suggested were
> made, what you get is a system that:
>
> - still has the current DAC policy. SELinux doesn't change the existing
> DAC mechanism. That is not being proposed here.
Yes it is. The proposed policy changes the DAC behavior
of the system. If you had a good set of regression tests
they would indicate a failure.
> - enforces a MAC policy which can allow certain processes, depending on
> security attributes of the process, to override the DAC mechanism to
> access files, depending on the security attributes of the file.
At which point you have introduced interactions between the
MAC, DAC, and Privilege mechanisms. At this point you no longer
have seperate policies.
> This is just a refinement ...
I don't see it as a refinement. I see the argument
presented as a rationalization.
> I would say that this is good. If what SELinux has now supports a
> [DM]AC policy, what is being proposed still does, only in an even more
> useful way. If what SELinux does is not supporting a [DM]AC policy, the
> goal of a [DM]AC policy perhaps should be questioned.
OKay. Seperate MAC, and DAC policies can be bad, and
integrated policies can be good.
Don't mind me. I just spent a dozen years trying to
get people to accept MAC on it's own, and it's been tough.
Go ahead, have MAC whomp all over the permission bits
that the populous has finaly figured out how to use.
No sweat off my nose, really.
--
Casey Schaufler Manager, Trust Technology, SGI
casey@sgi.com voice: 650.933.1634
casey_p@pager.sgi.com Pager: 888.220.0607
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2001-02-26 18:00 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-02-23 20:49 questions Pete Loscocco
2001-02-26 18:00 ` Casey Schaufler [this message]
[not found] <CALHF=T2fyuX=m5bfNG097VxioZKWQ=c0Zj3FwtO7P5+coYx6hQ@mail.gmail.com>
[not found] ` <CALHF=T3V=3stmsJmp0KCEiEycJKrScQF_y+UcsuLEAk=EGA3dA@mail.gmail.com>
[not found] ` <CALHF=T0JT4iBQVeXq_p-JGOwppr7K1pPGHV3+70P2Xbwnu99rQ@mail.gmail.com>
2017-03-28 9:14 ` Questions Arun Maha
2017-03-28 16:16 ` Questions Hofemeier, Ulf
-- strict thread matches above, loose matches on Subject: below --
2016-02-14 4:28 Questions o1bigtenor
2016-02-14 6:34 ` Questions Adam Goryachev
2016-02-14 11:53 ` Questions o1bigtenor
2016-02-14 12:24 ` Questions Adam Goryachev
2016-02-15 12:12 ` Questions o1bigtenor
2016-02-15 19:50 ` Questions Wols Lists
2016-02-15 21:01 ` Questions o1bigtenor
2016-02-15 22:05 ` Questions Adam Goryachev
2016-02-16 11:46 ` Questions o1bigtenor
2016-02-16 14:00 ` Questions Adam Goryachev
2016-02-16 18:33 ` Questions o1bigtenor
2016-02-16 14:32 ` Questions Wols Lists
2016-02-16 18:37 ` Questions o1bigtenor
2016-02-15 22:09 ` Questions Wols Lists
2014-10-09 12:42 Questions 刘立坤
2013-03-29 15:30 Questions Mohamet DIA
2009-03-12 15:07 questions sixiaolin0
2009-03-12 15:30 ` questions Christopher J. PeBenito
2009-03-12 15:37 ` questions Daniel J Walsh
2009-03-13 11:20 ` questions Russell Coker
2009-03-14 11:24 ` questions Shaz
2009-03-14 17:24 ` questions Russell Coker
2009-03-16 6:34 ` questions Shaz
2009-03-16 10:37 ` questions Russell Coker
2009-03-16 11:22 ` questions Shaz
2008-05-26 0:32 questions Kevin Diggs
2008-05-25 21:31 ` questions Brad Boyer
2007-12-17 13:59 questions inflo
2007-03-06 11:36 Questions John Ronan
2006-03-07 19:31 Questions Lakshmi N. Sundararajan
2006-03-07 19:46 ` Questions Josh Boyer
2005-05-19 6:23 questions Jean Delvare
2005-05-19 6:25 ` Questions Paul Aviles
2005-05-19 6:25 ` Questions Paul Aviles
2005-05-19 6:25 ` Questions Paul Aviles
2005-05-19 6:25 ` Questions Paul Aviles
2005-05-19 6:25 ` Questions Mark Studebaker
2005-05-19 6:25 ` Questions Mark Studebaker
2005-03-10 18:35 Questions Tobias Wollgam
2005-03-11 18:20 ` Questions Marco Gerards
2005-03-12 2:27 ` Questions Peter Jones
2005-03-16 16:48 ` Questions Tobias Wollgam
2004-03-06 3:04 questions william e. bastian
2004-03-06 12:43 ` questions Julius Schwartzenberg
2003-11-12 19:26 Questions Xiaonan Lu
2003-11-12 21:51 ` Questions Henrik Nordstrom
2003-08-23 22:11 questions Magosányi Árpád
2003-08-24 13:49 ` questions James Morris
2003-08-25 12:58 ` questions Kevin Carr
2003-08-25 14:22 ` questions David Caplan
2003-08-25 14:54 ` questions Art Wilson
2003-08-25 18:30 ` questions Stephen Smalley
2002-07-30 3:31 questions Bita Gorji-Ara
2002-07-30 1:44 questions Bita Gorji-Ara
[not found] ` <20020730014417.69105.qmail-3A75BWZatn2wAeGFf/znCBupM2+RrINj@public.gmane.org>
2002-07-30 12:56 ` questions Simon Richter
[not found] ` <Pine.LNX.4.44.0207301445570.6567-100000-yI80HdzzP5o@public.gmane.org>
2002-07-30 15:52 ` questions Alan Cox
2001-10-02 8:55 Questions Justin R. Smith
2001-10-02 12:36 ` Questions Stephen Smalley
2001-02-22 19:36 questions Pete Loscocco
2001-02-22 5:58 questions jgko
2001-02-22 14:12 ` questions Stephen Smalley
2001-02-22 18:21 ` questions Casey Schaufler
2001-02-22 19:41 ` questions Stephen Smalley
2001-02-22 23:30 ` questions Casey Schaufler
2000-12-26 19:45 questions Magosanyi Arpad
2000-12-26 21:09 ` questions Stephen Smalley
2000-12-26 21:31 ` questions Stephen Smalley
2000-04-12 22:13 questions Chu, Hao-Hua
1999-12-23 3:08 questions Ted Merrill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3A9A99B1.D4DADBB8@sgi.com \
--to=casey@sgi.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.