Subject: Re: SE Linux vs SE NetBSD !!
To: Robert Watson <rwatson@FreeBSD.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 08/26/2006 00:16:11
On Sat, 26 Aug 2006 04:59:46 +0100 (BST), Robert Watson
<rwatson@FreeBSD.org> wrote:
>
> The less often seen variation is the floating label version, in which subjects
> are "downgraded" when they touch lower integrity objects, such as packets from
> untrusted network interfaces, etc. The theory behind this is that it requires
> less configuration -- you mark your trusted "stuff" and things remain with
> high integrity rights until they touch something less trusted. mac_lomac
> implements this on FreeBSD, but is considered quite experimental. I believe
> there's a recent Linux implementation by IBM; the older implementations done
> by Tim Fraser at TIS were done on FreeBSd and Linux, and were published about
> at USENIX, I think.
>
The oldest implementation I know of is by Doug McIlroy and Jim Reeds:
"Multilevel security in the Unix tradition", Software -- Practice and
Experience, 1992, vol 22, pp 673-694. Google Scholar has it indexed; I
highly recommend reading it.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb