Re: Category Translation patch for MCS/MLS Policy

[Casey Schaufler <casey@xxxxxxxxxxxxxxxx>]

--- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> One thing we are
> thinking about for MCS 
> is to allow an file to be in multiple categories.

Do you mean something different from the B&L
notion of multiple categories? Bell and LePadula,
as we all know, would allow a file to be marked
with multiple categories, but the accessing
process would have to have all of the said
categories for success. 

> So a c1-c3 
> translation might look like
> 
> "MedicalRecords,MassGeneral,Cancer"
> or
> "CompanyConfidential,IBMNonDisclosure5"
> 
> So we would want files to show this, but if I do a
> ps -eZ command I 
> don't want "System High" processes to translate it.

Why's that?

> So does MLS ps command translate?

If you're asking what I think you're asking
the answer is yes.

> Or does MCS have to add the concept
> of "system high"?

Not strictly. You could enumerate all categories,
but system high is much simpler, and you can
probably steal^H^H^H^Hhare more of the MLS code
that way. You might want to come up with a name
that's less threatening, perhaps "allcats", or
"star".


Casey Schaufler
casey@xxxxxxxxxxxxxxxx


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.