Summary of Informal SELinux Meeting on May 6, 2004
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jun 4 11:31:25 UTC 2004
On Fri, 2004-06-04 at 04:03, Russell Coker wrote:
> On Fri, 4 Jun 2004 05:57, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> > all in the same single monolithic daemon that bound itself
> > to several different ports and several different unix domain
> > sockets, you wouldn't seriously consider saying that "this
> > hybrid is a trusted application" would you?
>
> "trusted" in this context does not mean "the code is great and we can totally
> trust it", but rather "due to the design of the system we have no choice but
> to trust it as it can totally break the security if it has a problem".
Further point of clarification: It only has to be trusted to maintain
separation of data for the security contexts it is allowed to access,
e.g. it might be allowed to access data from multiple user roles and
maintain their separation without being allowed to access administrator
or system files. So the trust is not absolute; the OS is still
enforcing some degree of confinement over the application.
I think Frank Mayer of Tresys has previously suggested using
"trustworthy" vs. "trusted" to distinguish the cases noted by Russell.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list