Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Sat, 9 Jun 2007, Kyle Moffett wrote:

quoted text

> On Jun 09, 2007, at 01:18:40, david@lang.hm wrote: >> SELinux is like a default allow IPS system, you have to describe EVERYTHING >> to the system so that it knows what to allow and what to stop. > > WRONG. You clearly don't understand SELinux at all. Try booting in > enforcing mode with an empty policy file (well, not quite empty, there are a > few mandatory labels you have to create before it's a valid policy file). > /sbin/init will load the initial policy, attempt to re-exec() itself... and > promptly grind to a halt. End-of-story.

sigh, two paragraphs below what you quoted I acknowledged exactly what you state. however since you must tag everything before you turn on any security it seems to me that you have to define everything, which is a similar amount of work as you would have to do for a default allow policy.

quoted text

> Typical "targetted" policies leave all user logins as unrestricted, adding > security for daemons but not getting in the way of users who would otherwise > turn SELinux off. On the other hand, a targeted policy has a "trusted" type > for user logins which is explicitly allowed access to everything.

Ok, it sounds as if I did misunderstand SELinux. I thought that by labeling the individual files you couldn't do the 'only restrict apache' type of thing.

quoted text

> That said, if you actually want your system to *work* with any default-deny > policy then you have to describe EVERYTHING anyways. How exactly do you > expect AppArmor to "work" if you don't allow users to run "/bin/passwd", for > example.

for AA you don't try to define permissions for every executable, and ones that you don't define policy are unrestricted. so as I understand this with SELinux you will have lots of labels around your system (more as you lock down the system more) you need to define policy so that your unrestricted users must have access to every label, and every time you create a new label you need to go back to all your policies to see if the new label needs to be allowed from that policy is this correct? David Lang -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Dave Young	Re: 2.6.24-rc3-mm1
Linus Torvalds	Linux 2.6.27-rc8
monstr	[PATCH 52/56] microblaze_v2: pci headers
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:
Steffen Prohaska	Re: CRLF problems with Git on Win32
Junio C Hamano	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Junio C Hamano	Re: Cleaning up git user-interface warts
Jakub Narebski	Re: VCS comparison table
linux-netdev:
Larry McVoy	Re: tcp bw in 2.6
Gerrit Renker	Re: [DCCP] [RFC] [Patchv2 1/1]: Queuing policies -- reworked version of Tomasz's p...
Jussi Kivilinna	[PATCH v2 3/3] net_sched: Add size table for qdiscs
Gerrit Renker	[PATCH 13/37] dccp: Deprecate Ack Ratio sysctl
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Tanvir	Re: Adobe Flash on OpenBSD
Zbigniew Baniewski	Re: What is our ultimate goal??
Kevin Neff	Patching a SSH 'Weakness'


high memory	10 hours ago	Linux kernel
semaphore access speed	13 hours ago	Applications and Utilities
the kernel how to power off the machine	14 hours ago	Linux kernel
Easter Eggs in windows XP	16 hours ago	Windows
Shared swap partition	17 hours ago	Linux general
Root password	17 hours ago	Linux general
Where/when DNOTIFY is used?	19 hours ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	22 hours ago	Linux kernel
Linux 2.6.24 and I/O schedulers	22 hours ago	Linux kernel
USB Driver -- Interrupt Polling -- A Little Help Please	1 day ago	Linux general

Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

Online users