On Fri, 18 Nov 2005, David Safford wrote: > In contrast, we have found the low water-mark model to be very useful > in practice. Can you explain this further, with some examples? How would low watermark help a typical web/file/database/application server? What about a firewall, or a desktop system? > Anyway, our main concern here is to give users the options for > integrity verification, integrity attestation, and low water-mark MAC, > whether as LSM modules, or libraries, or as policies, or whatever. > We deeply appreciate all of the suggestions, and would like reach some > sort of consensus as to an acceptable architecture on which to move > forward. It's becoming increasingly clear to me that laissez-faire security model composition via LSM stacking is entirely the wrong path. SELinux itself provides a comprehensive framework for flexible and cohesive security model composition. LSM is useful for plugging in entirely different access control frameworks, but not for composition. I think that integrity verification, attestation and similar should be implemented as services which can be called on and controlled by SELinux. I'd prefer to see the low-watermark model (if justified as a feature of the upstream kernel) integrated as an option into SELinux rather than implemented as a separate access control system. It seems that Stephen is not so keen on the idea, but we'd surely have control over whether the model was enabled or not. Incorporating the model into SELinux means making it part of a large existing userbase and established community, meaning more testing, analysis, maintenance etc., which tends to lead to a higher quality of implementation. - James -- James Morris <jmorris@private>
This archive was generated by hypermail 2.1.3 : Fri Nov 18 2005 - 13:03:40 PST