Hi Chris,

it seems Jan has well answered all relevant points,
one thing though:

On Mon, Mar 26, 2007 at 02:00:19PM -0400, Chris PeBenito wrote:
> > attribute. I'm not even sure if it is appropriate, since such security
> > labels define a local policy.
> 
> I don't agree with this last point.  If security was local to a machine,
> there would never be anything like domains in Windows.  SELinux is
> already building up infrastructure for network policies in the same
> administrative domain, and also researching policies between
> administrative domains.

The word "local" is heavily overloaded.

A local policy in this context is a policy regulating the behaviour
of a host (according to the context, of a file system client host).

A policy remains local even when applied to more than one host/client,
unless it happens to govern all of the hosts in the world.

The policies of the Windows domains and even the cross-domain policies
you mention are _local_ ones (in contrast to administration of the "rest
of the world"'s hosts, governed by indefinite number of other local
policies).

Regards,
Rune