A few questions
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 21 15:32:10 UTC 2006
On Thu, 2006-09-21 at 17:01 +0200, Salvo Giuffrida wrote:
> Isn't there complete control also on standard Linux with DAC?
No, there are entire object classes left uncontrolled by DAC (e.g.
sockets), and there a quite a few operations that are not constrained by
DAC.
> Security relevant information, such as? Level of confidentiality, role,
> and...?
Yes, the role and clearance of the user, the function and
trustworthiness of the program (and potentially the call chain leading
to it), the sensitivity and integrity of the process and the data, etc.
This is all fairly well covered in the background and papers on the
nsa.gov/selinux site,
http://www.nsa.gov/selinux/info/
http://www.nsa.gov/selinux/info/docs.cfm
Not up to date, but useful in understanding.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list