XML ACL standard ratified

XML ACL standard ratified

[Joshua Brindle]

http://www.eweek.com/article2/0,3959,893831,00.asp
XACML (extensible access control markup language) ratified

will selinux be taking advantage of this? i know someone was working on
some xml stuff a while back but everytime i go look at where it is it
hasn't changed.. anyone else planning on implementing an XML policy
translator or something? Thanks..


Joshua Brindle
UNIX Administrator
Southern Nazarene University

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XML ACL standard ratified

[Brian May]

On Fri, Feb 21, 2003 at 09:14:52AM -0600, Joshua Brindle wrote:
> http://www.eweek.com/article2/0,3959,893831,00.asp
> XACML (extensible access control markup language) ratified
> 
> will selinux be taking advantage of this? i know someone was working on
> some xml stuff a while back but everytime i go look at where it is it
> hasn't changed.. anyone else planning on implementing an XML policy
> translator or something? Thanks..

So far I only have had a quick look at XACML (and may be totally
mistaken, I am still downloading the specs), but it would appear to
serve a different purpose to SE-Linux.

XACML, while a central policy, like SE-Linux, appears to be focused
around what actions individual users can/can't do. eg. Can a user log in
at time X:XXam?.

SE-Linux on the other hand is focused on what processes can access
what resources. eg. Can Mozilla access the user's PGP private key?
Can inetd bind on port 80?

These aren't necessarily mutually exclusive goals, just different
goals.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XML ACL standard ratified

[Gerald E]

[-- Attachment #1: Type: text/plain, Size: 1969 bytes --]

Having read at least part of the XACML standard and sat through some
presentations on it I could call my self an expert, but I am not.

Basically it is an extension to SAML, with eXtentions for how to exchange
security tokens for permissions for authorization.
 http://www.oasis-open.org/committees/security/
For SAML
http://www.oasis-open.org/committees/xacml/
for XACML
in addition there is additional mechanisms for security management.
This standard will become more important as things like web services are
implemented.

I am on the W3C Web Services Architecture group for my company, and security is
being addressed.

Gerald Edgar

Brian May wrote:

> On Fri, Feb 21, 2003 at 09:14:52AM -0600, Joshua Brindle wrote:
> > http://www.eweek.com/article2/0,3959,893831,00.asp
> > XACML (extensible access control markup language) ratified
> >
> > will selinux be taking advantage of this? i know someone was working on
> > some xml stuff a while back but everytime i go look at where it is it
> > hasn't changed.. anyone else planning on implementing an XML policy
> > translator or something? Thanks..
>
> So far I only have had a quick look at XACML (and may be totally
> mistaken, I am still downloading the specs), but it would appear to
> serve a different purpose to SE-Linux.
>
> XACML, while a central policy, like SE-Linux, appears to be focused
> around what actions individual users can/can't do. eg. Can a user log in
> at time X:XXam?.
>
> SE-Linux on the other hand is focused on what processes can access
> what resources. eg. Can Mozilla access the user's PGP private key?
> Can inetd bind on port 80?
>
> These aren't necessarily mutually exclusive goals, just different
> goals.
> --
> Brian May <bam@snoopy.apana.org.au>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: text/html, Size: 2455 bytes --]