From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4411B9A9.5020102@hp.com> Date: Fri, 10 Mar 2006 12:38:49 -0500 From: Paul Moore MIME-Version: 1.0 To: Stephen Smalley Cc: James Morris , SELinux List Subject: Re: Query MLS info outside of SELinux/LSM? References: <4411AFCB.60401@hp.com> <1142010664.25454.128.camel@moss-spartans.epoch.ncsc.mil> <4411B5F2.6060702@hp.com> <1142012234.25454.139.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1142012234.25454.139.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Fri, 2006-03-10 at 12:22 -0500, Paul Moore wrote: > >>Stephen Smalley wrote: >> >>>On Fri, 2006-03-10 at 11:56 -0500, Paul Moore wrote: >>> >>> >>>>Is there a way to query the number of MLS sensitivity levels and >>>>categories outside of the SELinux LSM? I haven't seen anything, but >>>>thought I would ask before I started looking at alternatives ... which >>>>brings me to my next question - would anyone have an objection to adding >>>>this functionality? >>> >>>The goal is to keep information about the specific security models >>>encapsulated in the security server (security/selinux/ss/*.c). The rest >>>of the SELinux code then remains policy-independent, as does the rest of >>>the kernel. >>> >> >>The only concern I have with the above statement is that in some cases, >>i.e. labeled networking, some of that security model information such as >>MLS limits is important outside the security server. > > I think you want to generalize that kind of logic for arbitrary security > labels, not just MLS, and hide it behind an abstract interface provided > by the security server. Particularly since we want labeled networking > to support the full security context ultimately. > Agreed. Although for most cases in SELinux there are no practical upper bounds so such logic (that I am thinking of anyway) doesn't make sense. I was just looking for something to tell me the number of MLS levels and categories in the current instantiated policy so I could do some optimizations in the CIPSO/NetLabel code. It's not a big deal, there is always another solution. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.