[Labeled-nfs] [PATCH 4/7] Security: Add secctx_to_secid LSM hooks and security helper functions
Casey Schaufler
casey at schaufler-ca.com
Wed Aug 1 18:14:45 EDT 2007
--- Paul Moore <paul.moore at hp.com> wrote:
> On Wednesday, August 1 2007 5:11:27 pm Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl at tycho.nsa.gov> wrote:
> > > From: David P. Quigley <dpquigl at tycho.nsa.gov>
> > >
> > > The existing LSM interface provides a hook for converting a security
> > > identifier
> > > to a security context. This patch introduces a complementary hook to
> > > provide the conversion from the security context to corresponding
> > > security identifier.
> >
> > This is strictly SELinux behavior. I don't suppose it hurts
> > anything, but a general framework won't need this.
>
> I'm not so sure about that ... having a mechanism which maps an arbitrarily
> large label into a easily manipulated token (and back again) seems like
> something that could be of use to other security mechanisms besides
> SELinux/TE.
Yes, if you wanted to port the SecureWare CMW to Linux it would be
quite valuable. If on the other hand you have a small, directly
used label a mapping mechanism is unnecessary and being required
to do mappings is a pain in the bum. But, that's just me.
Casey Schaufler
casey at schaufler-ca.com
More information about the Labeled-nfs
mailing list