On Mon, Mar 30, 2009 at 08:07:02PM -0700, Casey Schaufler wrote:
> Not to throw a puppy in the gears, but sophisticated handshaking and
> negotiation protocols are not the answer. We had TSIG session management
> for doing that and it is just not enough. How would you negotiate the
> differences between two SELinux policies?

You don't.  You either establish that they are the same (or that one or
both peers are translating to a common policy) or that they are not.  In
the latter case you fail to communicate further.  It seems quite
reasonable to me to have a single policy for a site -- that seems doable
for MLS, but for DTE it's more likely that there will be OS-specific
parts of a site policy, and the potential need to map between existing
OS-specific policies and something else seems daunting, at least at
first glance, but I'm an optimist, so I think it must be doable :)

Nico
-- 

Reply via email to