posix mac

[Ilmar S. Habibulin]

On Wed, 14 Apr 1999, Robert Watson wrote:

> I won't comment on MAC as I don't have that much experience with the
> mechanisms of MAC, and haven't done an in-depth review of that component
> of the draft.  However, the lack of a sockets description (i.e.,
> limitation to POSIX interface) is one I hoped to remedy with this list.  I
Yes, that is nice idea. I don't know what is the starting point for posix
standards, but i suppose, that this 'starting point' must have network
interconnection interfaces (api). So lack of sockets description (or some
other network api) is a seriuos design flaw, imho. I'm speaking from MAC
implementors point of view. Casey point me some network security efforts
concerning MAC too. But at this point i think, that we should better limit
network communications in the way that only unclassified persons
(processes) can make network connections.

> POSIX.1e provides a good starting point and guidance: I personally don't
I'm agree with that. But people worked hard for several years. Are they
here? Can we discuss our problems?

> sure that can be worked around with some help.  I recently received some
> email about auditing extensions for Linux, and my essential comments were
> along the lines of: make sure you go for portability, given POSIX.1e a
> spin and see whether it can meet your needs.
Good answer. ;-) But i think, that 1e should be changed in MAC section.
Ok, lets forget about decrement rule. But we've got missed _uncontroled_
objects. They are sockets and SysV IPCs. And i don't like that many things
are "implementation defined" or "unspecified".

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message