Crispin Cowan wrote:
quoted text
> david@lang.hm wrote:
>   
>> On Fri, 8 Jun 2007, Greg KH wrote:
>>     
>>> I still want to see a definition of the AA "model" that we can then use
>>> to try to implement using whatever solution works best.  As that seems
>>> to be missing the current argument of if AA can or can not be
>>> implemented using SELinux or something totally different should be
>>> stopped.
>>>       
>> the way I would describe the difference betwen AA and SELinux is:
>>
>> SELinux is like a default allow IPS system, you have to describe
>> EVERYTHING to the system so that it knows what to allow and what to stop.
>>
>> AA is like a default deny firewall, you describe what you want to
>> happen, and it blocks everything else without you even having to
>> realize that it's there.
>>     
> That's not quite right:
>
>     * SELinux Strict Policy is a default-deny system: it specifies
>       everything that is permitted system wide, and all else is denied.
>     * AA and the SELinux Targeted Policy are hybrid systems:
>           o default-deny within a policy or profile: confined processes
>             are only permitted to do what the policy says, and all else
>             is denied.
>           o default-allow system wide: unconfined processes are allowed
>             to do anything that classic DAC permissions allow.
>   
Still not completely correct, though the targeted policy has an 
unconfined domain (unconfined_t) the policy still has allow rules for 
everything unconfined can do, 2 examples of things unconfined still 
can't do (because they aren't allowed by the targeted policy) is execmem 
and a while back when there was a /proc exploit that required setattr on 
/proc/self/environ; unconfined_t wasn't able to do that either (and 
therefore the exploit didn't work on a targeted system).

That said, the differentiation between strict and targeted is going away 
soon so that one can have some users be unconfined (but still with a few 
restrictions) and others can be fully restricted.

-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/