--- "Serge E. Hallyn" <[EMAIL PROTECTED]> wrote:
> > Funny thing is that I would agree with you 100% > > if LSM implemented authoritative hooks. Since > > LSM implements a scheme that is supposed to > > provide strictly for additional restrictions > > it should be simple to stack modules safely. > > An example where that is not the case is if LSM 2 > needs to label > a file as 'toptopsecret noone may touch this', but > LSM 1 has > marked claimed that the user may not write an xattr. > So now > the user's info can be leaked. This is only an issue if LSM 2 puts "toptop..." data into the file prior to setting the label on the file, which I would argue ought not happen. If you're refering to the case where someone discovers toptop... data in an existing 'sure go ahead everyone read this' file and they want to relabel it I say that the described behavior is, however unfortunate, correct. There have been sucessful MLS systems on which users were not allowed to relabel files. If an LSM is correct within its own rules, such as the MLS reality that the container has to be labeled before the data goes in, and that the creation would fail if it couldn't live up to its rules, the situation described will not be a security problem. It will be a operational problem, and the admin who decided that she wanted both mechanisms may have a tough choice, just as she does when she puts too many layers of spam filtering in place and nothing from lkml gets through anymore. Reminds me of changing planes at Heathrow, where half the people had too much luggage to go through security, but had already gone through once at the previous airport. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html