Re: Are the reference policy abstractions the right ones?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Morris <jmorris@namei.org>
To: Karl MacMillan <kmacmillan@mentalrootkit.com>
Cc: jwcart2@tycho.nsa.gov, SELinux <selinux@tycho.nsa.gov>,
	Steve Smalley <sds@epoch.ncsc.mil>
Subject: Re: Are the reference policy abstractions the right ones?
Date: Mon, 15 Oct 2007 12:50:47 +1000 (EST)	[thread overview]
Message-ID: <Xine.LNX.4.64.0710151116270.433@us.intercode.com.au> (raw)
In-Reply-To: <1192122040.26928.61.camel@dhcp-64-223.iad.redhat.com>

On Thu, 11 Oct 2007, Karl MacMillan wrote:

> So - I'd like to hear from some other people. Are these ideas worth
> pursuing? The proposals:
> 
> 1) remove the distinction between attributes / types.
> 2) allow nested types / attributes.
> 3) type_class / type_group
> 4) exceptions

I think moving to a general OO model at a higher level is desirable, and 
that we need to go beyond simply 'type' in #3 and look at OO classes which 
encapsulate all SELinux-related attributes (permissions, labeling rules, 
network policy, booleans etc).

People are increasingly utilizing containers/VMs/appliances to manage and 
isolate their applications, and I think that this is also a means for us 
to provide higher-level SELinux abstractions.

With comprehensive SELinux classes, we could:

- Bind security classes to various levels of system abstraction, and thus 
  bind security objects to a variety of types of encapsulating objects 
  (e.g. RPM, VM, container, tarball, standalone file);

- Modify classes via inheritance (already discussed somewhat);

- Define high-level interactions between classes via well-defined 
  interfaces;

- Compose classes into higher-level classes in a structured, analyzable 
  manner.

With the latter being an important way to allow admins to configure 
overall security at a meaningful level of granularity, matching the level 
of encapsulation which they are already using for managing applications.

The idea generally being that admins/developers not think in terms of low 
level policy constructs (although allow these to be exposed if needed), 
but rather, to think about composing security objects into e.g. a 
container, and then from a system point of view, to be able to broadly 
define how the containers interact with each other and the base system.

Thoughts?

- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2007-10-15  2:50 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-09 15:08 Are the reference policy abstractions the right ones? James Carter
2007-10-09 17:10 ` Karl MacMillan
2007-10-09 18:54   ` James Carter
2007-10-09 19:07     ` Karl MacMillan
2007-10-09 19:44       ` James Carter
2007-10-09 20:00         ` Karl MacMillan
2007-10-10 15:23           ` Karl MacMillan
2007-10-10 15:47             ` Joshua Brindle
2007-10-10 16:52             ` James Carter
2007-10-10 20:39               ` Karl MacMillan
2007-10-11 17:00                 ` Karl MacMillan
2007-10-11 17:32                   ` James Carter
2007-10-12 16:45                   ` Chad Sellers
2007-10-12 19:53                     ` James Carter
2007-10-12 19:59                       ` Karl MacMillan
2007-10-12 20:48                       ` Chad Sellers
2007-10-15  2:50                   ` James Morris [this message]
2007-10-15  3:45                     ` Joe Nall
2007-10-15  4:06                       ` James Morris
2007-10-15 14:30                     ` David P. Quigley
2007-10-15 18:55                     ` Karl MacMillan
2007-10-15 21:15                       ` James Morris
2007-10-15 22:23                         ` Karl MacMillan
2007-10-11 23:30             ` Daniel J Walsh
2007-10-09 17:34 ` Joshua Brindle
2007-10-09 18:18 ` Christopher J. PeBenito
2007-10-10 15:09 ` Karl MacMillan
2007-10-10 16:25   ` Casey Schaufler
2007-10-10 18:26   ` Paul Moore
2007-10-11  7:18 ` Frank L. Mayer
2007-10-11 20:26   ` James Carter
2007-10-12 16:45     ` Chad Sellers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Xine.LNX.4.64.0710151116270.433@us.intercode.com.au \
    --to=jmorris@namei.org \
    --cc=jwcart2@tycho.nsa.gov \
    --cc=kmacmillan@mentalrootkit.com \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.