RE: Alternative user management approach

[Chad Hanson <chanson@xxxxxxxxxxxxx>]

First, I would like to state a method for limiting the need to reload the
policy and make it work in a distributed environment is certainly needed.

> 
> The problem is building a general mechanism that can handle nearly any
> situation. I agree that over the past 20+ years, most MLS applications
I've
> seen use a small portion of the possible lattice supported. 

It is true that a small subset of labels are used in a number of
environments, there are special cases where people create and use dynamic
labels on the fly thus utilizing a large number of categories.


> However they use differing portions. And some applications, in particular 
> compartmented mode applications, can use many categories with the
potential for 
> a large number of points in the lattice being assigned to specific users. 
> Worse users can be granted and removed access to lattice points (i.e., 
> categories) now and then. 
> 

It is very true that different user's will have different clearances.
Depending on the number of levels (usually a couple) and categories (can
vary from a few to many) you could require alot of different combinations. 

Another factor in the potential increase of mappings would the increased use
of roles. Currently, their use is very limited, but if you increase the
roles to allow users to perform different actions, you increase the number
of combinations as well. 

-Chad

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.