On Sat, Mar 25, 2006 at 05:17:08PM -0500, Steven M. Bellovin wrote:
>
> That's where we disagree.  I'm concerned not just with assurance for
> the programmer, but for the administrator of such a system.  With the
> new scheme, when you set certain flags, do you have a clear
> understanding what is and isn't possible for an attacker?  Securelevel
> can be described in a few paragraphs; you know what you're getting
> (modulo code bugs, but that's not what I'm talking about here).

My suggestion is that we ship knob-settings that give you _exactly_
what we used to (claim to ("modulo bugs") ;-)) give you with securelevel 1.

If you decide to go under the hood and change those sets of knob-settings,
then, yes, you're on your own to get it right.  But what _we_ ship should
do just what the old code did, from the administrator's point of view.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart