internal label representation

[Robert Watson]

On Thu, 11 Oct 2001, Ilmar S. Habibulin wrote:

> I'm thinking of making network interconnection possible in trustedbsd. 
> Rigth now i can't directly insert my work in mac patch, cause existing
> label representation differs from mine. So maybe change it? There is
> type field, so what if just replace it with special label levels (HIGH,
> LOW and EQUAL?). So i would be able to label network packets as equal
> and let them pass in (This is the case of trusted server and labeled
> client exchange, when server have to deal with different labeled
> clients). 

I borrowed this model from the SGI approach, which uses a tuple that
includes a type field in each label.

In a purely hierarchal scheme, I think you're right that it does add some
complexity.  However, in a model with non-hierarchal components, it seemed
simpler to me.  Also, it avoids the classic bug case where magic values
are taken out of a namespace to have special meaning, but are
inconsistently checked.  I'm not opposed to changing, however.  Right now,
I'm working to integrate your higher level VFS approach to access control
into my MAC patch, and also setting up a Perforce repository for the work
on FreeBSD.org.  I hope to have a new patch available within a week or two
that incorporates these changes, and propagate access control and labeling
further through the tree.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message