--- Karl MacMillan <[EMAIL PROTECTED]> wrote: > > There are others who would argue that SELinux > > has abandoned the Linux privilege model and > > thus disrupted the unity of the existing > > security model. > > > > No clue what this means.
Pre-SE Linux has a rational and well established security model that includes DAC and Privilege. The capability scheme is designed to fit that model, adding the logical extention from the POSIX statements of "appropruate privilege" to defining what those privileges would be. SELinux does not use capabilities to identify where "policy" is excepted, rather it defines policy in such a way as to make the notion of exception unnecessary. Many people think this is good. I personally like the traditional scheme, and would be happier with SELinux if it held to it. > > I don't understand why the SELinux crew seems > > so intent on making it difficult to implement > > alternatives. Last year it was "let's ditch LSM". > > Now it's "Everyone hates stacking". Give it a > > rest already. > > > > 1) Stacking is possible now, just not arbitrary > stacking by an admin. True enough, although I have to say that it isn't a pleasant exercise. > 2) Not having arbitrary stacking in no way limits > alternatives. It just > forces the use of a single alternative at a time or > explicit development > to make alternatives work together. Funny thing is that I would agree with you 100% if LSM implemented authoritative hooks. Since LSM implements a scheme that is supposed to provide strictly for additional restrictions it should be simple to stack modules safely. > 3) The objections, if you read them, are about > whether the correctness > of arbitrarily stacked modules can be reasonably > expected or verified. > It is not an effort to limit alternatives. Restictive LSM modules ought to be completely stackable if they are in fact strictly restrictive. That there are issues says that the scheme may not be being used correctly. I honestly don't know if that's worth the trouble of fixing. > There are real disagreements here, but please stop > overstating the > differences and misconstruing (willfully?) peoples > positions. SELinux is a Good Thing for any number of reasons. There are also other schemes that have merit. Just as I encouraged the NSA to adopt Linux and do their own security work back in the late 20th century I hope to encourage newcomers to LSM to follow through with their ideas and come up with the next great thing. Assimilation into SELinux can come later if it's of value. Maybe you can do a bunch of this stuff using SELinux as a framework instead of LSM, but I think that if someone wants to use LSM as a base that is their call, and I personally would like to see what they do because I don't believe for a minute that the "problem" of system security is solved. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html