>>SELinux Mailing List: by thread

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

From: Thomas A Langan <tlangan_at_dsl.cis.upenn.edu>
subject: Policy Enforcement Question
Date: Sun, 27 Jan 2002 22:13:08 -0500 (EST)

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: network and module problems"
• Previous message: Chris Crowther: "Re: Backups"
• Next in thread: Stephen Smalley: "Re: Policy Enforcement Question"
• Reply: Stephen Smalley: "Re: Policy Enforcement Question"

I have a quick conceptual question about the role policies in the Flask architecture.

When policies are defined by an admin --- using RBAC, TE or a combination thereof -- and parsed into the system, does rights-checking at the lowest level occur seperately for each policy defined (and in turn, seperately for each language such as RBAC or TE) or do all the policies compile down to an intermediate format that handles all of the languages and policies transparently? If the latter, what is the intermediate representation?

I couldn't find any clear documentation to answer this question -- if it exists, let me know where it is and I'm sorry about cluttering your mailbox!

Tom

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Policy Enforcement Question
Date: Mon, 28 Jan 2002 09:43:53 -0500 (EST)

• This message: [ Message body ]
• Next message: Lonnie Cumberland: "applications and ports"
• Previous message: Stephen Smalley: "Re: network and module problems"
• In reply to: Thomas A Langan: "Policy Enforcement Question"

On Sun, 27 Jan 2002, Thomas A Langan wrote:

> I have a quick conceptual question about the role policies in the Flask
> architecture.
>
> When policies are defined by an admin --- using RBAC, TE or a
> combination thereof -- and parsed into the system, does rights-checking
> at the lowest level occur seperately for each policy defined (and in turn,
> seperately for each language such as RBAC or TE) or do all the policies
> compile down to an intermediate format that handles all of the languages
> and policies transparently? If the latter, what is the intermediate
> representation?

>From the perspective of the object managers, the "intermediate
representation" is an access vector for a given SID pair and security class. The object managers have no knowledge of the inner workings of the policy or even that there are multiple policies. The Flask architecture specifies the interfaces to the security server, not its implementation.

>From the perspective of the example security server, each policy has
some core logic that is driven by the corresponding configuration, and an access vector computation involves combining the results of a computation by each policy. Most of the policy is expressed through the TE configuration.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

• Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT