Re: A better reference for the "capabilities propagate too easily" argument

On Wed, 2007-08-01 at 21:09 +0100, Toby Murray wrote:
> On Wed, 2007-08-01 at 08:58 -0700, Mark Miller wrote:
> > Again, I have no idea what you or anyone else (except Alan) means when
> > they say "discretionary" or "mandatory". 
> 
> The SELinux access controls are discretionary from the point of view of
> anyone who can modify them (that is, the policy). They are mandatory
> from the point-of-view of anyone who cannot.

I think that this is fair. They are mandatory in the same sense that a
non-bypassable membrane imposes a mandatory control if you are a process
that sits "inside" the environment imposed by the membrane.

> Does anyone agree with these definitions? They seem to be about the only
> sane ones  I've ever been able to apply. From memory, they were derived
> from "The Inevitability of Failure", a Steve Smalley paper motivating
> SELinux if memory serves. They were derived during discussions with
> previous work colleagues; but I think they serve well generally.

So far as I know, this definition of discretionary vs. mandatory as
reflecting point of view originated with me. If Steve came to this view
first, I would very much like to know. If I didn't originate this
framing, I don't want to take credit away from anyone else.

shap