On 2007-06-22T07:19:39, Stephen Smalley <sds@tycho.nsa.gov> wrote:ile e Again, you're saying that AA is not confining unconfined processes. That's a given. If unconfined processes assist confined processes in breeching their confinement, yes, that is not mediated. You're basically saying that anything but system-wide mandatory access control is pointless. If you want to go down that route, what is your reply to me saying that SELinux cannot mediate NFS mounts - if the server is not confined using SELinux as well? The argument is really, really moot and pointless. Yes= , unconfined actions can affect confined processes.=20 That's generally true for _any_ security system. =2E asy I'm quite sure that this reply is not AA specific as you try to make it appear. I want to restrict certain possibly untrusted applications and network-facing services from accessing certain file patterns, because a= s a user and admin, that's the mindset I'm used to. I might be interested in mediating other channels too, but the files are what I really care about. I'm inclined to trust the other processes. Your use case mandates complete system-wide mediation, because you want full data flow analysis. Mine doesn't. Regards, Lars --=20 Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N=FCrnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wil= de - To unsubscribe from this list: send the line "unsubscribe linux-securit= y-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
| Linus Torvalds | Linux 2.6.27-rc8 |
| Trent Piepho | [PATCH] [POWERPC] Improve (in|out)_beXX() asm code |
| Satyam Sharma | Re: 2.6.23-rc4-mm1 "no CRC" MODPOST warnings |
| Bart Van Assche | Integration of SCST in the mainstream Linux kernel |
git: | |
| Bill Lear | Dangers of working on a tracking branch |
| Jeff King | Re: What's cooking in git/spearce.git (topics) |
| Jason Garber | git push [rejected] question |
| Maxim Gordienko | [GIT-P4] usage under Windows |
| Richard Stallman | Real men don't attack straw men |
| Leon Dippenaar | New tcp stack attack |
| GVG GVG | ssh_exchange_identification: Connection closed by remote host |
| Brandon Lee | DELL PERC 5iR slow performance |
| Jeff Garzik | Re: [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM |
| Paul Moore | [PATCH v7 00/17] Labeled networking patches for 2.6.28 |
| Denys Vlasenko | Re: bnx2 dirver's firmware images |
| Herbert Xu | Re: csum offload and af_packet |
