some questions (Re: mac-0.5.diff)
jmorris at intercode.com.au
Thu Sep 27 17:31:02 GMT 2001
On Thu, 27 Sep 2001, Robert Watson wrote:
> to least privilege. By throwing TE into the mix, you can represent a
> number of more useful policies. From the perspective of packet labeling,
> I think going with MLS and Biba is fine -- I'm not sure existing TE work
> has addressed the packet label issue much, although I know DTE has.
An earlier Flask prototype used IPSec security associations to negotiate
policy for mandatory access networking, using a customized DOI. (see
http://www.cs.utah.edu/flux/papers/). It did not use packet labeling.
I'm currently investigating a different approach with labeled networking
under SELinux via type-7 FIPS188 tags, but there is not much to see as yet
(I mention this now as it would probably be a very good idea work towards
interoperability if you decide on the TE route).
> these policies are so flexible, deciding how to export something useful
> (and then import it at the other end) is an unsolved problem.
Yes, this is quite difficult. One possibility is to use an out of band
protocol to exchange information about the labels on the fly.
<jmorris at intercode.com.au>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss