Security Link Of The Day: Reponse to Trusted Extensions vs RHEL

Karl MacMillan has blogged a response to Glenn Faden's comparison of Trusted Extensions and SE Linux as used in RHEL5 for LSPP(Labeled Security Protection Profile).

I almost stopped reading after the first few paragraphs though because of the discussion about the use of "Trusted". In reality "Trusted Extensions" is really "Bell LaPadula Model Label Services" but that just doesn't roll off the tongue that easily nor does it build on the "Trusted Solaris" brand and show the relationship. "Trusted" for Solaris is about as meaning full as "Security Enhanced" for Linux :-) So the main reasons we use the "Trusted" moniker is marketing and brand awareness, and no I'm not in marketing :-)

There are already some comments on Karl's blog from Glenn clarifying some points as well as some from David Comay about the overhead of Zones. Great to see this type of discussion happen in the open between the two communities. Hopefully a better understanding and scope for future collaboration is the outcome for all, particularly in the networking areas around IPsec.

- Darren

Comments:

B-LP is indeed Trusted Extensions' (and Trusted Solaris') default model for label services, however I've seen some interesting stuff which suggests that you don't have to go down the B-LP route if you don't want to.

If you have a label set which comprises a single sensitivity and multiple compartments, you can make something which looks rather more like a matrix model - especially if you use the words normally used to describe sensitivities within the compartment-side textual representations.

As you'd expect, mapping roles and privileges onto such a model takes at least as much work as B-LP does, but I gather it's been done for some real-world deployments.

Posted by Dave Walker on April 02, 2007 at 01:39 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
9
10
11
12
13
14
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today