login
Header Space

 
 

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: Eric W. Biederman <ebiederm@...>
Cc: Alan Cox <alan@...>, Serge E. Hallyn <serge@...>, Kyle Moffett <mrmacman_g4@...>, Linus Torvalds <torvalds@...>, Bill Davidsen <davidsen@...>, James Morris <jmorris@...>, Andrew Morton <akpm@...>, <casey@...>, <linux-security-module@...>, <linux-kernel@...>
Date: Wednesday, October 10, 2007 - 11:45 am

On Wed, 2007-10-10 at 07:48 -0600, Eric W. Biederman wrote:

SELinux internally has a notion of a type hierarchy, where a type is
limited to a subset of its parent's permissions, and one can then
delegate the ability to manage sub-types via a policy daemon.  But this
is all handled in userspace; the kernel doesn't care about it.

Ditto for the modular policy support - that's a userspace construct that
is ultimately turned into a single coherent policy for the kernel to
enforce.


A LSM implements a security model, where that model may encompass all
processes and objects.  SELinux (and Smack) in particular implement
mandatory access control and thus need to enforce consistent policy over
all processes and objects based on their security labels.

-- 
Stephen Smalley
National Security Agency

-
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandato..., Eric W. Biederman, (Fri Oct 5, 12:45 am)
Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandato..., Kazuki Omo(Company), (Tue Oct 30, 12:01 am)
Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandato..., Eric W. Biederman, (Wed Oct 10, 9:48 am)
Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandato..., Stephen Smalley, (Wed Oct 10, 11:45 am)
Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandato..., Christoph Hellwig, (Sun Sep 30, 5:53 am)
speck-geostationary