HEADS UP: PERFORCE change 8204 for review (fwd)
Stephen Smalley
sds at tislabs.com
Mon Apr 1 14:11:45 GMT 2002
On Fri, 29 Mar 2002, Ilmar S. Habibulin wrote:
> Ok, then lets discuss label text and in-kernel representation a little
> bit. Should compartments be part of ranges or only single label? I've
> choosen the second variant.
> And what about text label representation? How should it look like? Is
> something like <policy>/<level>[<compartment>](<range>), where
> <policy> - biba,mls;
> <level> - high,low,equal,etc;
> <compartment> - comma-separated text strings (they will form bitmap);
> <range> - equal to <level>.
>
> For ex.: biba/level_1[comp_a,comp_b,comp_d](low-high)
In the SELinux MLS implementation, each level consists of a sensitivity
and an optional compartment set, and a range is a pair of levels, so
compartments are part of ranges. The syntax of the text label
component for the MLS policy is as follows:
range -> level '-' level
| level
level -> sensitivity ':' categoryset
| sensitivity
categoryset -> category
| categoryset ',' category
Some examples of legal text labels for the MLS policy component:
unclassified-top_secret
unclassified:foo-top_secret:foo,bar
unclassified:foo
--
Stephen D. Smalley, NAI Labs
ssmalley at nai.com
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list