[cap-talk] A better reference for the "capabilities propagate too easily" argument
Toby Murray
toby.murray at comlab.ox.ac.uk
Wed Aug 1 16:09:48 EDT 2007
On Wed, 2007-08-01 at 08:58 -0700, Mark Miller wrote:
> Again, I have no idea what you or anyone else (except Alan) means when
> they say "discretionary" or "mandatory".
Just for reference, (I believe this tallies with Jonathan's view as
well, based on previous discussions here with him) from my
point-of-view, the distinction between a mandatory and discretionary
control is always decided from the perspective of the subjects involved.
If a particular subject, S, has some say in the functioning of the
control, then it's discretionary (from S's point of view). Otherwise its
mandatory (from S's point of view).
The SELinux access controls are discretionary from the point of view of
anyone who can modify them (that is, the policy). They are mandatory
from the point-of-view of anyone who cannot.
Does anyone agree with these definitions? They seem to be about the only
sane ones I've ever been able to apply. From memory, they were derived
from "The Inevitability of Failure", a Steve Smalley paper motivating
SELinux if memory serves. They were derived during discussions with
previous work colleagues; but I think they serve well generally.
More information about the cap-talk
mailing list