Andreas Gruenbacher wrote:In particular, to layer AppArmor on top of SELinux, the following problems must be addressed: * New files: when a file is created, it is labeled according to the type of the creating process and the type of the parent directory. Applications can also use libselinux to use application logic to relabel the file, but that is not 'mandatory' policy, and fails in cases like cp and mv. AppArmor lets you create a policy that e..g says "/home/*/.plan r" to permit fingerd to read everyone's .plan file, should it ever exist, and you cannot emulate that with SELinux. * Renamed Files: Renaming a file changes the policy with respect to that file in AA. To emulate this in SELinux, you would have to have a way to instantly re-label the file upon rename. * Renamed Directory trees: The above problem is compounded with directory trees. Changing the name at the top of a large, bushy tree can require instant relabeling of millions of files. * New Policies: The SEEdit approach of compiling AA profiles into SELinux labels involves computing the partition set of files, so that each element of the partition set is unique, and corresponds to all the policies that treat every file in the element identically. If you create a new profile that touches *some* of the files in such an element, then you have to split that synthetic label, re-compute the partition set, and re-label the file system. * File Systems That Do Not Support Labels: The most important being NFS3 and FAT. Because they do not support labels at all, SELinux has to give you an all-or-nothing access control on the entire remote volume. AA can give you nuanced access control in these file systems. You could support all of these features in SELinux, but only by adding an in-kernel file matching mechanism similar to AppArmor. It would basically load an AppArmor policy into the kernel, label files as they are brought from disk into the cache, and then use SELinux to do the access controls. That doesn't make it a good idea: * The patch would be at least as complex and intrusive as the proposed AppArmor patch, there is no simplicity already-upstream savings here. * It would require the VFS and d_path patches that AppArmor needs to pass mount points down. * It would make AppArmor's ability to change policies on a live system more difficult. * The necessary extensions would not be appealing to the SELinux community. LSM is the common code that AA and SELinux have agreed to be mutually useful. Forcing AA to sit on top of SELinux would harm both AA and SELinux. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
| Stoyan Gaydarov | From 2.4 to 2.6 to 2.7? |
| David Miller | [GIT]: Networking |
| Bernd Petrovitsch | Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 |
| Stephen Rothwell | linux-next: Tree for July 18 |
git: | |
| Peter Karlsson | Git on Windows, CRLF issues |
| Jari Aalto | Re: On Tabs and Spaces |
| Stephan Beyer | git sequencer prototype |
| Linus Torvalds | "fatal: Untracked working tree file 'so-and-so' would be overwritten by merge" |
| GVG GVG | ssh_exchange_identification: Connection closed by remote host |
| Theo de Raadt | That whole "Linux stealing our code" thing |
| Jerome Santos | sshd.config and AllowUsers |
| Don Jackson | How to use (compact) flash cards with OpenBSD |
| Jim Winstead Jr. | Re: Root Disk/Book Disk Compatibility |
| Rick Emerson | Re: [comp.os.linux]: Re: File system issues! |
| Desmond A. Kirkpatrick | ATI GUP bug with Linux 'tickler' |
| Harald Zinnen | FTape QIC-80 Driver |
