From: Joshua Brindle <jbrindle@tresys.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Karl MacMillan <kmacmillan@tresys.com>,
"'Daniel J Walsh'" <dwalsh@redhat.com>,
gyurdiev@redhat.com, selinux@tycho.nsa.gov
Subject: Re: Iptables discussion
Date: Fri, 22 Jul 2005 11:54:32 -0400 [thread overview]
Message-ID: <42E116B8.2050406@tresys.com> (raw)
In-Reply-To: <20050722154606.21958.qmail@web34309.mail.mud.yahoo.com>
Casey Schaufler wrote:
>--- Karl MacMillan <kmacmillan@tresys.com> wrote:
>
>
>
>
>>I know that this is just a motivating example, but I
>>feel compelled to point out
>>that 1) this problem is not really related to MLS in
>>the real world and
>>
>>
>
>On the contrary, it is a commonly requested
>scenario, not always with web services but
>often enough. Frequently the situation is an
>application written and owned by a 3rd party
>that provides a "special" service of some kind.
>Running two servers, one at Secret, one at
>TopSecret is the mode they prefer.
>
>
>
>>2)
>>separation based on ports is _very_ unlikely to meet
>>the requirements of a
>>system that will be processing data at different
>>sensitivities.
>>
>>
>
>It is done all the time. Yes, policy enforcing
>trusted applications are better, but y'all don't
>seem to have an interface for doing that, and
>most users couldn't change the applications
>anyway.
>
>
eh? we certainly have userspace object managers, some in production use
such as dbus, passwd, cron, and others in development like SE-X
We are also working on better support for userspace object managers
currently, such as adding a userspace security server for providing
decisions to userspace object managers (thus reducing the policy in the
kernel) and allowing object managers to register their object classes
dynamically.
>In Trix 4 we had polyinstantiated sockets. We
>dropped them in Trix 6 to be more like the
>other systems available at the time. I don't
>think anyone noticed because everyone was
>already doing "a server per label".
>
>
>
>
>Casey Schaufler
>casey@schaufler-ca.com
>
>
>
>____________________________________________________
>Start your day with Yahoo! - make it your home page
>http://www.yahoo.com/r/hs
>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-07-22 15:59 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-21 17:40 [ libsepol 2/6] Ports Ivan Gyurdiev
2005-07-21 18:04 ` Joshua Brindle
2005-07-21 18:06 ` Ivan Gyurdiev
2005-07-21 18:27 ` Ivan Gyurdiev
2005-07-21 19:35 ` Karl MacMillan
2005-07-21 19:38 ` Ivan Gyurdiev
2005-07-21 20:30 ` Karl MacMillan
2005-07-21 20:47 ` Ivan Gyurdiev
2005-07-21 21:06 ` Joshua Brindle
2005-07-21 21:06 ` Ivan Gyurdiev
2005-07-21 21:15 ` Joshua Brindle
2005-07-21 21:25 ` Ivan Gyurdiev
2005-07-21 23:34 ` Joshua Brindle
2005-07-22 11:53 ` Iptables discussion Ivan Gyurdiev
2005-07-22 12:31 ` Daniel J Walsh
2005-07-22 12:46 ` Karl MacMillan
2005-07-22 13:44 ` Ivan Gyurdiev
2005-07-22 14:19 ` Karl MacMillan
2005-07-22 14:24 ` Ivan Gyurdiev
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 18:18 ` Ivan Gyurdiev
2005-07-22 18:40 ` Karl MacMillan
2005-07-22 19:01 ` Ivan Gyurdiev
2005-07-22 14:42 ` Daniel J Walsh
2005-07-22 15:28 ` Karl MacMillan
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 14:51 ` Joshua Brindle
2005-07-22 15:39 ` Ivan Gyurdiev
2005-07-22 15:57 ` Karl MacMillan
2005-07-22 16:14 ` Ivan Gyurdiev
2005-07-22 16:31 ` Karl MacMillan
2005-07-22 17:59 ` Ivan Gyurdiev
2005-07-22 16:28 ` Ivan Gyurdiev
2005-07-22 17:28 ` Jason Tang
2005-07-22 17:54 ` Ivan Gyurdiev
2005-07-22 18:28 ` Jason Tang
2005-07-22 18:32 ` Ivan Gyurdiev
2005-07-22 19:19 ` Joshua Brindle
2005-07-22 19:44 ` Ivan Gyurdiev
2005-07-22 19:56 ` Joshua Brindle
2005-07-22 20:18 ` Ivan Gyurdiev
2005-07-22 20:56 ` Ivan Gyurdiev
2005-07-22 15:46 ` Casey Schaufler
2005-07-22 15:54 ` Joshua Brindle [this message]
2005-07-22 16:11 ` Frank Mayer
2005-07-22 18:56 ` Casey Schaufler
2005-07-24 5:25 ` James Morris
2005-07-24 15:28 ` Casey Schaufler
2005-07-25 4:24 ` James Morris
2005-07-25 15:37 ` Daniel J Walsh
2005-07-25 18:24 ` Christopher J. PeBenito
2005-07-25 18:28 ` Ivan Gyurdiev
2005-07-25 18:43 ` Ivan Gyurdiev
2005-07-25 18:55 ` Daniel J Walsh
2005-07-25 19:01 ` Joshua Brindle
2005-07-25 19:53 ` Ivan Gyurdiev
2005-07-25 22:42 ` Joshua Brindle
2005-07-26 0:07 ` Ivan Gyurdiev
2005-07-26 0:13 ` Joshua Brindle
2005-07-22 12:37 ` Karl MacMillan
-- strict thread matches above, loose matches on Subject: below --
2005-07-22 14:54 Chad Hanson
2005-07-24 5:08 ` James Morris
2005-07-25 21:00 Chad Hanson
2005-07-25 21:04 Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42E116B8.2050406@tresys.com \
--to=jbrindle@tresys.com \
--cc=casey@schaufler-ca.com \
--cc=dwalsh@redhat.com \
--cc=gyurdiev@redhat.com \
--cc=kmacmillan@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.