... 03:57AM +0200, Andreas Gruenbacher wrote: > > AppArmor is meant to be relatively ... of time researching various ways how AppArmor-like semantics could be implemented ... it. http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf What ...

linux-fsdevel - Andreas Gruenbacher - Jun 9 2007 - 11:05

... lie. I have a hard time distinguishing AppArmor's "model" from its implementation; every ... points to a specific characteristic of the AppArmor implementation that cannot be emulated in ... is no system view of the subjects and objects and thus no way to ...

linux-fsdevel - Stephen Smalley - Jun 6 2007 - 09:26

... no system view of > the subjects and objects and thus no ... security policy. The rules in AppArmor profiles also define equivalence classes ... one that does not permit re-labeling, while a tranquil system ... is applicable in areas where AppArmor is not (e.g., MLS ...

linux-fsdevel - Andreas Gruenbacher - Jun 8 2007 - 18:03

... the confinement claims being made about AppArmor's confinement capabilities are simply not ... of software flaws and compromised systems. AppArmor includes everything you need to ... /4/19/357 "My gosh, you're right. What the heck? With all ...

linux-fsdevel - James Morris - Jun 22 2007 - 09:48

... assume you mean labels instead of handles. AppArmor's design is around paths not labels ... when a policy is rolled out), whereas AppArmor computes the "label" of each file ... a hybrid between the SELinux and the AppArmor model, not a superset. It could ...

linux-fsdevel - Andreas Gruenbacher - Jun 4 2007 - 17:03

... you mean labels instead of handles. > > > > AppArmor's design is around paths not ... I have a hard time distinguishing AppArmor's "model" from its > implementation; ... to a > specific characteristic of the AppArmor implementation that cannot be > emulated ...

linux-fsdevel - Greg KH - Jun 6 2007 - 13:32

... :03:57AM +0200, Andreas Gruenbacher wrote: >> >>> AppArmor is meant to be relatively easy ... have to split that synthetic label, re-compute the partition set, and re- ... and intrusive as the proposed AppArmor patch, there is no simplicity ...

linux-fsdevel - Crispin Cowan - Jun 10 2007 - 13:09

... described here: http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf Under the ... a bad way to emulate the AppArmor model. And yes, I am working ... ' paper apparmor/LKML_Submission-May_07/techdoc.pdf>, but that ...

linux-fsdevel - Crispin Cowan - Jun 15 2007 - 19:30

On Sat, Jun 16, 2007 at 01:39:14AM +0200, Pavel Machek wrote: > > Pavel, please focus on the current AppArmor implementation. You're > > remembering a flaw with a previous version of AppArmor. The pathnames > > constructed with the current version of ...

linux-fsdevel - Seth Arnold - Jun 15 2007 - 20:07

... intended use case is to use AppArmor to confine applications that access ... document http://forgeftp.novell.com//apparmor/LKML_Submission-May_07/techdoc.pdf there ... could supply separate mount points. AppArmor can just use path specifications ...

linux-fsdevel - Crispin Cowan - Jun 18 2007 - 14:48

... does not generalize, and that=20 > AppArmor's inability to provide adequate coverage ... in anyway prevents us from extending AppArmor to mediate IPC or networking. The ... of a technical issue, right? >=20 AppArmor currently controls file and capabilities, ...

linux-fsdevel - John Johansen - Jun 22 2007 - 03:40

... 12:03:57AM +0200, Andreas Gruenbacher wrote: > AppArmor is meant to be relatively easy to ... > SELinux is applicable in areas where AppArmor is not (e.g., MLS), but ... solution in common > scenarios. In my opinion, AppArmor is a better answer than SELinux in ...

linux-fsdevel - Greg KH - Jun 8 2007 - 20:17

... 12:03:57AM +0200, Andreas Gruenbacher wrote: >> AppArmor is meant to be relatively easy to ... >> SELinux is applicable in areas where AppArmor is not (e.g., MLS), but ... solution in common >> scenarios. In my opinion, AppArmor is a better answer than SELinux ...

linux-fsdevel - david - Jun 8 2007 - 21:06

... mean labels instead of handles. > > > > > > AppArmor's design is around paths ... I have a hard time distinguishing AppArmor's "model" from its > > implementation; ... a > > specific characteristic of the AppArmor implementation that cannot be > > emulated ...

linux-fsdevel - Pavel Machek - Jun 9 2007 - 19:47

... s > security policy. The rules in AppArmor profiles also define equivalence > classes in the ... change the allowed accesses from a given subject to a given object without relabeling, ... > one that does not permit re-labeling, while a tranquil system with ...

linux-fsdevel - Stephen Smalley - Jun 11 2007 - 11:16

... model does not generalize, and that > AppArmor's inability to provide adequate coverage ... > outstanding technical issues relating to AppArmor. > > AppArmor does not and can not ... of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/# ...

linux-fsdevel - Crispin Cowan - Jun 22 2007 - 00:17

... model does not generalize, and that > > AppArmor's inability to provide adequate coverage ... > outstanding technical issues relating to AppArmor. > > > > AppArmor does not and can not ... the word "confinement" at all wrt AppArmor (it has a long-established ...

linux-fsdevel - Stephen Smalley - Jun 22 2007 - 08:20

... 03:57AM +0200, Andreas Gruenbacher wrote: > >> > >>> AppArmor is meant to be relatively easy ... possible. > > > In particular, to layer AppArmor on top of SELinux, the ... have to split that > synthetic label, re-compute the partition set, and ...

linux-fsdevel - Greg KH - Jun 15 2007 - 12:50

... have been addressed, have they not? AppArmor doesn't actually provide confinement, because ... filesystem objects. What you define in AppArmor policy does _not_ reflect the actual ... technical issue, but the fact that AppArmor simply does not and can not ...

linux-fsdevel - James Morris - Jun 21 2007 - 15:42

... have been addressed, have they not? > > AppArmor doesn't actually provide confinement, ... > filesystem objects. > > > > What you define in AppArmor policy does _not_ reflect the actual ... issue, but the fact that AppArmor > > simply does not and can not ...

linux-fsdevel - Stephen Smalley - Jun 21 2007 - 16:59