On Wed, 2005-11-30 at 08:39 -0500, Tim Fraser wrote: > I was claiming that the Low-Water-Mark-style implementation of a > taint-oriented strategy is more compatible with traditional UNIX than > a demotion-free Biba-Strict-style implementation would be. I wasn't > making any comparison with your current SELinux policy other than to > say that the least-privilege strategy it uses is different from the > taint-oriented strategy Low Water-Mark schemes use. Hmmm...well, now I'm confused. I thought that you (and others) were arguing that low water mark offers a higher degree of compatibility with traditional Unix than SELinux/TE, but here you seem to disavow such a claim, and don't respond to my specific examples of how the automatic demotion of low water mark is just as problematic for compatibility as a fixed label model. > I'm not trying to talk you out of your preference for the > least-privilege strategy. I'm just pointing out that SLIM seems to > implement one of the few protection schemes not already covered by > SELinux. Consequently, if you'd like to demonstrate the generality of > the FLASK architecture or the LSM interface, I think SLIM deserves > consideration. But neither you nor David have responded substantively to the concerns I've raised twice now about low water mark as a model (to wit: pervasive non-tranquility of security labels, potential for application misbehavior, degeneration of the system toward low integrity over time). And, no, you can't just say that there are proofs about the model. So I can't see why low water mark deserves consideration as a model to be supported by SELinux/Flask. And SLIM as an implementation is badly broken in many ways, as I've noted, so it certainly doesn't deserve consideration in its current form; it seems doubtful that it can even be classified as a correct implementation of low water mark. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Wed Nov 30 2005 - 06:19:25 PST