Subject: Re: SE Linux vs SE NetBSD !!
To: Robert Watson <>
From: Steven M. Bellovin <>
List: tech-kern
Date: 08/26/2006 00:16:11
On Sat, 26 Aug 2006 04:59:46 +0100 (BST), Robert Watson
<> wrote:
> The less often seen variation is the floating label version, in which subjects 
> are "downgraded" when they touch lower integrity objects, such as packets from 
> untrusted network interfaces, etc.  The theory behind this is that it requires 
> less configuration -- you mark your trusted "stuff" and things remain with 
> high integrity rights until they touch something less trusted.  mac_lomac 
> implements this on FreeBSD, but is considered quite experimental.  I believe 
> there's a recent Linux implementation by IBM; the older implementations done 
> by Tim Fraser at TIS were done on FreeBSd and Linux, and were published about 
> at USENIX, I think.
The oldest implementation I know of is by Doug McIlroy and Jim Reeds:
"Multilevel security in the Unix tradition", Software -- Practice and
Experience, 1992, vol 22, pp 673-694.  Google Scholar has it indexed; I
highly recommend reading it.

		--Steven M. Bellovin,