Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

--- "Serge E. Hallyn" <serge@hallyn.com> wrote:

quoted text

> Quoting Casey Schaufler (casey@schaufler-ca.com): > > ... > > Good suggestion. In fact, that is exactly how I approached my > > first two attempts at the problem. What you get if you take that > > route is an imposing infrastructure that has virually nothing > > to do and that adds no value to the solution. Programming to the > > LSM interface, on the other hand, allowed me to drastically reduce > > the size and complexity of the implementation. > > (tongue-in-cheek) > > No no, everyone knows you don't build simpler things on top of more > complicated ones, you go the other way around. So what he was > suggesting was that selinux be re-written on top of smack. > > :)

I'm not sure how seriously anyone ought to take what I'm about to outline. Please feel free to treat it with as much or as little reverence as you choose. How to implement SELinux starting from Smack. You'll need to break up the current rwxa accesses into a set that matches the current SELinux set. Assign each a letter and a "MAY_ACTION" #define. You'll need a mapping for domain transitions, something like: subject-label program-label new-subject-label This will require bprm hooks that aren't there now. Additional hooks will need to be filled out as Smack does not add access control to things that aren't objects or actions that aren't accesses. Treat these as if they are accesses to objects and there shouldn't be too much trouble. Do something about the linear search for subject/object label pairs. With the larger label set searching will become an issue. Audit integration, too. The networking code will require some work for ipsec. The interfaces are pretty clean, Smack isn't using it because the CIPSO interface is simpler, not because there's any real problem with it. I wouldn't expect the whole thing to be more than a couple week's work for someone who really wanted to do it. Casey Schaufler casey@schaufler-ca.com -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
David Dillow	CONFIG_NO_HZ breaks blktrace timestamps
David Miller	Re: tg3: unable to handle null pointer dereference
git:
Martin Langhoff	Handling large files with GIT
Jakub Narebski	Re: VCS comparison table
Scott Chacon	Git Community Book
Matthew L Foster	git and time
openbsd-misc:
Daniel Ouellet	identifying sparse files and get ride of them trick available?
Richard Stallman	Real men don't attack straw men
Stefan Beke	mail dovecot: pipe() failed: Too many open files
Rico Secada	Re: Binary kernel and base update
linux-netdev:
Evgeniy Polyakov	Re: [PKT_SCHED]: Add stateless NAT
Tantilov, Emil S	RE: [BUG] NULL pointer dereference in skb_dequeue
KOVACS Krisztian	[PATCH 10/14] iptables socket match
Ilpo Järvinen	[PATCH] [TCP]: Separate lost_retrans loop into own function


How to make initramfs smaller	3 minutes ago	Linux kernel
how to check if a given block device is in use?	30 minutes ago	Linux kernel
How to exec user process in kernel mode.	58 minutes ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	3 days ago	Linux kernel
help in UDP catching module..	3 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	5 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

Online users