On Tue, 2006-04-18 at 12:31 -0700, Crispin Cowan wrote:
> Karl MacMillan wrote:
> > Which is one reason why SELinux has types (equivalence classes) - it
> > makes it possible to group large numbers of applications or resources
> > into the same security category. The targeted policy that ships with
> > RHEL / Fedora shows how this works in practice.
> >
> AppArmor (then called "SubDomain") showed how this worked in practice
> years before the Targeted Policy came along. The Targeted Policy
> implements an approximation to the AppArmor security model, but does it
> with domains and types instead of path names, imposing a substantial
> cost in ease-of-use on the user.
Just to clarify a few points:
- It is true that both AppArmor and SELinux with targeted policy only
(effectively) restrict a subset of processes, but SELinux with targeted
policy provides complete mediation of all objects and operations for
those processes, not just capabilities and files like AppArmor.
- Targeted policy demonstrates that a general purpose mechanism that is
capable of complete mediation of all processes, objects, and operations
(SELinux) can be applied to selective control if that is your goal. The
reverse is not true; AppArmor is limited by its design.
- Ease of use should be addressed in the user interface, not by using a
broken kernel mechanism. There is ongoing work to address the
useability of SELinux in userspace; it doesn't require changing the
kernel mechanism to rely on pathnames (which is broken).
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]