Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Alan Cox ([email protected]):
> Thus this sort of stuff needs to be taken seriously. Can SuSE provide a
> good reliable policy for AppArmour to people, can Red Hat do the same
> with SELinux ?

That's a little more than half the question.  The other 40% is can users
write good policies.

I think it will, and already has, become easier for selinux.  But in
this case I wonder whether some sort of contest could be beneficial.  We
all know of Russel Coker's open root selinux play machines.  That's a
powerful statement.  Things I'd like to see in addition are

	a. a similar setup with apparmour
	b. a similar setup where "mere mortals" set up the selinux policy

For the first few rounds, rather than judge one way or the other, we
could hopefully publish the results in a way to encourage a flurry of
selinux policy tools - one of which may actually be useful.

Given that AA is a 'targeted' type of setup, I guess it would need to
have a strict sshd policy, and the game would be whether the policy can
keep anyone with the root password from escaping the policy.

> Note I don't care about whether apparmour is integrated. If the code is
> good and it can be shown it works then fine.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux