On 3/31/2009 11:58 PM, James Morris wrote:

On Tue, 31 Mar 2009, Jarrett Lu wrote:

I'm in general agreement with you on this. I am not sure to what extent 
the extensibility stuff makes sense, e.g. how much may be enough? I 
guess we need to study more use scenarios. I suspect TE systems may have 
more challenges in this area, just because security policies on TE 
systems tend to be more flexible. For example, how many things are 
critical in order to translate label correctly, OS version, vendor, 
label parser, security policy file? How likely DTE systems are 
configured with exact same policy files? Does it make sense that a 
(harmless) update to security policy file causes label translation 
failures from that point on?


With SELinux systems, policies do not need to be identical to be 
considered part of the same DOI.  Generally, labels need to remain 
semantically equivalent (i.e. mean the same thing on each system), and the 
policies need to be managed within the same administrative boundary. 
Systems may restrict which labels they'll interpret from remote systems 
(similar to root_squash).

Understood. My point is that a signature on a policy file may not always be the right tool to determine whether label translation should be done. When policies are different on two systems, how does one system know labels or types are semantically equivalent or not? Are you also saying that DOI is tied to administrative boundary, and the fact that systems using the same DOI implies the label and type definitions in each policy are always semantically equivalent?

Jarrett

- James