More MCS

[James Morris]

On Mon, 31 Oct 2005, Stephen Smalley wrote:

> Looks like the MCS constraints (as defined in policy/mcs) only constrain
> access to files, not directories, presently (and this is noted in a
> comment in that file, so it seems to be intentional).  They do appear to
> work correctly for files.  Use of categories on directories doesn't seem
> to be supported at present under MCS.

MCS is initially for files only, although it could be extended to 
directories if it makes sense.

What does it mean to say that /tmp/foo is "Company Confidential" ?  If the 
files under that directory are not all labeled with that category, they'll 
lose the MCS protection if copied or moved.  I think we really want to 
make sure that that each file is correctly labeled under MCS and not 
depend on parent directories, and not have to think about label 
inheritance semantics.

My view is that the MCS label is a security category explicitly assigned 
to a file, and should not change unless the user again explicitly changes 
it.  The label itself and its meaning have no hierarchical properties.


- James
-- 
James Morris
<jmorris at namei.org>