Stephen Smalley wrote: > In SELinux, security IDs are opaque handles to "security contexts", > which contain the actual security attributes. The mapping is > maintained by the security server, and is accessible (subject > to control by the policy) to applications. With regard to > persistence, we address that through persistent label mappings > in each file system based on per-filesystem persistent security > identifier number spaces. So security IDs are local and > non-persistent (for scalability). In any event, this > is all described at length in the SELinux documentation and the > Flask paper. This is the same architecture used by SecureWare in their MLS product. This is the single reason that MLS systems have the reputation for being slow. This is a bad scheme from a number of aspects. If you want to use it in your module, that's fine, but a commercail grade system can't afford it. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 12:07:54 PDT