RFC: Requirements for MAC policies and implementation
Ilmar S. Habibulin
ilmar at ints.ru
Wed Oct 11 06:51:47 GMT 2000
On Tue, 10 Oct 2000, Robert Watson wrote:
> The MAC label I've started experimenting with contains three components:
>
> o MLS type and level (no non-hierarchal component yet)
> o Biba type and level (no non-hierarchal component yet)
> o Optimized system partition identifier
Why don't you have non-hierarchal components? They were implemented
somehow in my patches. I think, that they should be reimplemented to use
an array of components, not bitmask. But bitmask should work right now.
> Right now they're substantially smaller than ACLs. Generally, disk access
> for file system objects is by far dominating label access, and given
> improved locality code, I'd hope that it would continue to. That said, I
> think the label access is the most noticeable aspect right now, although
> I'd guess per-packet labeling will also be expensive due to expanded
> working set on the CPU cache.
Per-packet you mean network packets? I think that only connections and
network interfaces should be labeled.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list