[redhat-lspp] LSPP Development Telecon 10/16/2006 Minutes
James Morris
jmorris at namei.org
Thu Oct 19 21:17:50 UTC 2006
On Thu, 19 Oct 2006, Paul Moore wrote:
> Thinking strictly from a TE point of view 64k is quite a bit, however if we
> throw in MLS it shrinks really quickly when you add all of the possibile
> combinations of sensitivity level plus categories. Maybe somebody from TCS or
> the Lenny/Joe/Ted team can describe a typical scenario, but from the limited
> label encodings I have seen 15/16 bits just doesn't seem like enough.
It can be an arbitrary split, so that e.g. internal labels have 2^10 and
external 2^22 or something. I really doubt that there will be many
internal labels. Generally, they're only going to carry information about
well known services (ports) and perhaps some node & netif info.
In an MLS environment, I'd imagine setting the MLS component based on the
interface (and perhaps ip address(es)) and the TE component based on the
port. e.g.
dport 80 / eth0: http_packet_t:s3
dport 80 / eth1: http_packet_t:s4
- James
--
James Morris
<jmorris at namei.org>
More information about the redhat-lspp
mailing list