The logic here is that most of the time files of certain type are usually in logical locations, whereas with SELinux the logic is that types are intrinsic properties of objects, and saved as metadata their metadata. The difference is that with the latter moving the object does not change the properties (the context comes along), while the first one might lose the properties in case something made moving outside the intended envelope possible.
The approach taken by Tame is technically easier to implement without shooting yourself in the foot, and featured also in Grsecurity fame's RBAC implementation. Jolly good.
The thing just is, the approach taken by SELinux with the external security daemon can and has been extended beyond files. Tracking the information by its properties when it moves from files to database, web servers, etc, is a powerful (but extremely hard for implementors) feature. Also, administratively the security classifications of documents are properties of documents, not the storage containers they are found from.
I like the idea of making sure my program doesn't go off the rails and become an attack vector. It is an interesting contrast to the external mechanism without input from the program.
The logic here is that most of the time files of certain type are usually in logical locations, whereas with SELinux the logic is that types are intrinsic properties of objects, and saved as metadata their metadata. The difference is that with the latter moving the object does not change the properties (the context comes along), while the first one might lose the properties in case something made moving outside the intended envelope possible.
The approach taken by Tame is technically easier to implement without shooting yourself in the foot, and featured also in Grsecurity fame's RBAC implementation. Jolly good.
The thing just is, the approach taken by SELinux with the external security daemon can and has been extended beyond files. Tracking the information by its properties when it moves from files to database, web servers, etc, is a powerful (but extremely hard for implementors) feature. Also, administratively the security classifications of documents are properties of documents, not the storage containers they are found from.