On Mon, 2007-06-04 at 23:03 +0200, Andreas Gruenbacher wrote:I have a hard time distinguishing AppArmor's "model" from its implementation; every time we suggest that one might emulate much of AppArmor's functionality on SELinux (as in SEEdit), someone points to a specific characteristic of the AppArmor implementation that cannot be emulated in this manner. But is that implementation characteristic an actual requirement or just how it happens to have been done to date in AA? And I get the impression that even if we extended SELinux in certain ways to ease such emulation, the AA folks would never be satisfied because the implementation would still differ. Can we separate the desired functionality and actual requirements from the implementation specifics? I'd argue a bit with that characterization, given that: - in the case of SELinux, the pathname is never used as a basis for decisions by the kernel, - under AA, each file may have an arbitrary set of "labels" or "policies" applied to it depending on what programs are accessing it and what names are being used to reference it - there is no system view of the subjects and objects and thus no way to identify the overall system policy for a given file. - names are far less tranquil than labels. Live file relabeling (non-tranquility) tends to break one's ability to show anything about preservation of confidentiality or integrity (particularly in the absence of complete revocation support). On the new files issue, it wouldn't be difficult or even a real divergence from our existing model to introduce the component name (not a "full" pathname, but the last component) as an additional input to the decision for labeling new files (along with the existing use of the creating process' label, the parent directory label, and the kind of new file) at creation time, and that would reduce the need somewhat to modify some applications that create files of multiple security contexts in the same directory. That would further help the SEEdit folks in emulating AA on top of SELinux, but as before, I don't get the impression that the AA folks will ever be satisfied with such an emulation, not because of any real requirement but merely because they are tied to their implementation specifics. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
| Parag Warudkar | Re: soft lockup - CPU#1 stuck for 15s! [swapper:0] |
| Bryan Woods | Stardom SATA HSM violation |
| Bart Van Assche | Integration of SCST in the mainstream Linux kernel |
| Steven Rostedt | [PATCH 2/2] ftrace: support for PowerPC |
git: | |
| Abdelrazak Younes | Git-windows and git-svn? |
| Linus Torvalds | Re: On Tabs and Spaces |
| Shawn O. Pearce | Java Git (aka jgit) library switching license to BSD/EPL |
| Manu | Re: fatal: unable to create '.git/index': File exists |
| Brandon Lee | DELL PERC 5iR slow performance |
| Chris Jones | GRE over IPsec |
| Frank Bax | wine question |
| Jona Joachim | X11 very slow with SMP kernel |
| Jon Anhold | rawrite |
| Mark Tarrabain | Some thoughts on device drivers |
| Rik Faith | ATI VGA WONDER driver for x386 |
| Seng-Poh Lee, Speedy | Slight rlogind problem, 'Unable to determine your tty name' |
| SMDK2410 LCD Framebuffer driver | 3 hours ago | Linux kernel |
| Resetting the bios password for Toshiba Laptop | 4 hours ago | Hardware |
| Problem booting a barebone kernel in VMWare | 7 hours ago | Linux kernel |
| IP layer send packet | 11 hours ago | Linux kernel |
| PID to ELF image full path | 14 hours ago | Linux kernel |
| types of kernel | 1 day ago | Linux kernel |
| magical mounts | 2 days ago | Linux kernel |
| Problem in scim in Fedora 9 | 2 days ago | Linux general |
| The new Western Digital power saving drives | 2 days ago | Hardware |
| Battery Maximizer Software | 3 days ago | Linux kernel |
