On Fri, 15 Jun 2007, Casey Schaufler wrote: > > --- James Morris <[EMAIL PROTECTED]> wrote: > > > On my system, it takes about 1.2 seconds to label a fully checked out > > kernel source tree with ~23,000 files in this manner > > That's an eternity for that many files to be improperly labeled. > If, and the "if" didn't originate with me, your policy is > demonstrably correct (how do you do that?) for all domains > you could claim that the action is safe, if not ideal. > I can't say if an evaluation team would buy the "safe" > argument. They've been known to balk before.
To clarify: We are discussing a scheme where the underlying SELinux labeling policy always ensures a safe label on a file, and then relabeling newly created files according to their pathnames. There is no expectation that this scheme would be submitted for certification. Its purpose is to merely to provide pathname-based labeling outside of the kernel. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
