On Tue, 2005-11-01 at 10:57 -0500, James Morris wrote:
MCS is initially for files only, although it could be extended to
directories if it makes sense.
What does it mean to say that /tmp/foo is "Company Confidential" ? If the
files under that directory are not all labeled with that category, they'll
lose the MCS protection if copied or moved. I think we really want to
make sure that that each file is correctly labeled under MCS and not
depend on parent directories, and not have to think about label
inheritance semantics.
My view is that the MCS label is a security category explicitly assigned
to a file, and should not change unless the user again explicitly changes
it. The label itself and its meaning have no hierarchical properties.
I understand this POV, but I'm not sure it will translate well to how
people want to apply protection to their data. On the other hand,
directory hierarchy-based protection often doesn't map well to the
desired security properties either, and does leave one open to aliasing
(via hard links or bind mounts) as well as relocation.
In any event, we might want to generalize the mls_compute_sid logic to
support either case, driven by the configuration, so that we can later
support such directory-based inheritance for MCS if desired without
having to patch the SELinux module.
--
Stephen Smalley
National Security Agency