Re: [AppArmor 00/44] AppArmor security module overview

Hi!

> > > so...  where do we stand with this?  Fundamental, irreconcilable
> > > differences over the use of pathname-based security?
> > > 
> > There certainly seems to be some differences of opinion over the use
> > of pathname-based-security.
> 
> I was refreshed to have not been cc'ed on a lkml thread for once.  I guess
> it couldn't last.
> 
> Do you agree with the "irreconcilable" part?  I think I do.
> 
> I suspect that we're at the stage of having to decide between
> 
> a) set aside the technical issues and grudgingly merge this stuff as a
>    service to Suse and to their users (both of which entities are very
>    important to us) and leave it all as an object lesson in
>    how-not-to-develop-kernel-features.

If this is merged, suse is stuck with technically inferior solution
forever. This may please parts of suse, but not our users.

If this is not merged, suse will [have to] work with selinux people to
come up with friendlier userland tools/selinux improvements. (We
already had discussions with vojtech about a way to add path-based
aspects to selinux, and selinux people already offered to add 'new
file label is function of directory label and new name' support, which
addresses lots of reasons for AA).

Actually, there's a middle way. Merging only 'pass vfsmounts down'
parts will make AA self contained enough that suse will not go crazy
while trying to maintain it, but will have good enough incentive to
work with selinux people on something better.

							Pavel
					(not speaking for suse,
					as usual).
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Prev by Date: Re: [PATCH 2/2] net: make net and forcedeth to use kmalloc_node
• Next by Date: [RFC] disabling RTC irq during release
• Previous by thread: Re: [AppArmor 00/44] AppArmor security module overview
• Next by thread: Re: mss to pmtu clamping partially broken?
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]