Karl MacMillan has written a detailed response to my article comparing the MLS policies of Trusted Extensions and SELinux. Although I don't agree with many of his assertions, I think this is a healthy discussion. I've posted comments on his blog, but I have one other point to make here.
Despite the fact that my article was about the MLS policies in TX and SELinux, Mr. MacMillan generally played down MLS as a viable security technology. He states:
The problem, in my view, is that the separation offered by MLS systems
is more severe than most commercial customers can tolerate and there is
no secure way to relax those restrictions. That is where type
enforcement really shines. It is possible to clearly and securely
specify how information can flow to allow limited flow of data in
certain circumstances through specific, trusted processes. The
inflexibility of MLS doesn’t offer this: process are either confined by
the policy or are trusted to circumvent it in coarse-grained ways.
Relaxing the policy to make it useful essentially destroys any security
I disagree that relaxing the MLS policy destroys any security benefit. In Trusted Extensions, the MLS policy for labeled zones is always enforced, even for privileged processes. The policy can be relaxed to permit specific trusted processes to request that individual files are upgraded or downgraded, but such relabeling is still subject to review by TCB processes in the global zone. Multilevel ports can be configured for use by trusted processes, but they are still constrained to communicate at specific levels.
Type Enforcement has a lot of potential, but MLS, as implemented in Trusted Extensions, provides unique advantages. I am pleased to see a growing awareness in the secure OS community.