More MCS

[Stephen Smalley]

On Tue, 2005-11-01 at 10:57 -0500, James Morris wrote:
> MCS is initially for files only, although it could be extended to 
> directories if it makes sense.
> 
> What does it mean to say that /tmp/foo is "Company Confidential" ?  If the 
> files under that directory are not all labeled with that category, they'll 
> lose the MCS protection if copied or moved.  I think we really want to 
> make sure that that each file is correctly labeled under MCS and not 
> depend on parent directories, and not have to think about label 
> inheritance semantics.
> 
> My view is that the MCS label is a security category explicitly assigned 
> to a file, and should not change unless the user again explicitly changes 
> it.  The label itself and its meaning have no hierarchical properties.

I understand this POV, but I'm not sure it will translate well to how
people want to apply protection to their data.  On the other hand,
directory hierarchy-based protection often doesn't map well to the
desired security properties either, and does leave one open to aliasing
(via hard links or bind mounts) as well as relocation.

In any event, we might want to generalize the mls_compute_sid logic to
support either case, driven by the configuration, so that we can later
support such directory-based inheritance for MCS if desired without
having to patch the SELinux module.

-- 
Stephen Smalley
National Security Agency