Darren J Moffat wrote:
> Alan Coopersmith wrote:
>> The changes that resulted in these version number bumps include:
>> - Replacing the X server's internal access permission checking with
>> a much more fine-grained permission checking system, contributed by
>> the NSA as part of their SELinux project.
>
> Does this help or hinder the xtsol module in anyway ?
As noted, it required porting work. The upstream code has introduced a
generalized access control framework (XACE, the X Access Control Extension,
though it's not an actual protocol extension), designed by Eamon Walsh at
the NSA to provide the hooks needed for the existing XC-Security extension,
the SELinux extension he developed, and the XTSol extension. He is very
aware of XTSol and has adjusted the XACE hooks to allow for it in several
places that it had checks SELinux did not, though disagrees with several
of the XTSol design choices and has corresponded with the XTsol team and
myself on multiple occasions. (I actually did the initial integration of
his XACE code upstream for Xorg 1.2 before he got direct commit access.)
The XACE hooks have replaced a number of, but not yet all of, the places
the Xtsol code modified the core server to insert hooks for their module
to add checks, so helps the core X team in reducing the number of differences
to upstream code we have to maintain and port to each new release.
As for the long term help or hindrance to the xtsol module itself, that's
a question Lok & Glenn are probably better to answer than myself.
> Does it help the OpenSolaris FMAC project in anyway ?
I don't know enough about that project to venture a guess - sounds like a
question to ask that project team. I do note their project page mentions
use of the XACE framework.
> Either way since the case material says the xtsol module as been ported
> over I'm happy to give my +1 and the above questions are for my
> curiosity only.
>
> --
> Darren J Moffat
--
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
