On Sat, 9 Jun 2007, Sean wrote:
remember that the security hooks in the kernel are not SELinux API's, they
are the Loadable Security Model API. What the AA people are asking for is
for the LSM API to be modified enough to let their code run (after that
(and working in parallel) they will work on
On Sat, 9 Jun 2007 20:26:57 +0900
Tetsuo Handa [EMAIL PROTECTED] wrote:
Sean wrote:
All of a sudden you've implemented the main features of AA with very
few changes to the kernel. It should be more maintainable, and much
easier to get accepted into the kernel.
Do you agree with passing
On Sat, 9 Jun 2007, Sean wrote:
On Sat, 9 Jun 2007 20:26:57 +0900
Tetsuo Handa [EMAIL PROTECTED] wrote:
Sean wrote:
All of a sudden you've implemented the main features of AA with very
few changes to the kernel. It should be more maintainable, and much
easier to get accepted into the
On Saturday 09 June 2007 14:58, Pavel Machek wrote:
How will kernel work with very long paths? I'd suspect some problems,
if path is 1MB long and I attempt to print it in /proc
somewhere.
Pathnames are only used for informational purposes in the kernel, except
in AppArmor of
On Saturday 09 June 2007 10:10, Sean wrote:
Clinging to the current AA implementation instead of honestly considering
reasonable alternatives does not inspire confidence or teamwork.
What you imply is pretty insulting. I can assure you we looked into many
possible implementation choices, and
[EMAIL PROTECTED] wrote:
On Sat, 9 Jun 2007, Sean wrote:
snip
what SELinux cannot do is figure out what label to assign a new file.
Nit: SELinux figures out what to label new files fine, just not based on
the name. This works in most cases, eg., when user_t creates a file in
/tmp it
On Jun 09, 2007, at 01:18:40, [EMAIL PROTECTED] wrote:
SELinux is like a default allow IPS system, you have to describe
EVERYTHING to the system so that it knows what to allow and what to
stop.
WRONG. You clearly don't understand SELinux at all. Try booting in
enforcing mode with an
On Sat, 9 Jun 2007 17:17:57 +0200
Andreas Gruenbacher [EMAIL PROTECTED] wrote:
On Saturday 09 June 2007 10:10, Sean wrote:
Clinging to the current AA implementation instead of honestly considering
reasonable alternatives does not inspire confidence or teamwork.
What you imply is pretty
On Sat, 9 Jun 2007, Kyle Moffett wrote:
On Jun 09, 2007, at 01:18:40, [EMAIL PROTECTED] wrote:
SELinux is like a default allow IPS system, you have to describe EVERYTHING
to the system so that it knows what to allow and what to stop.
WRONG. You clearly don't understand SELinux at all. Try
On Jun 09, 2007, at 12:46:40, [EMAIL PROTECTED] wrote:
On Sat, 9 Jun 2007, Kyle Moffett wrote:
Typical targetted policies leave all user logins as
unrestricted, adding security for daemons but not getting in the
way of users who would otherwise turn SELinux off. On the other
hand, a
On Sat, 9 Jun 2007, Kyle Moffett wrote:
On Jun 09, 2007, at 12:46:40, [EMAIL PROTECTED] wrote:
On Sat, 9 Jun 2007, Kyle Moffett wrote:
Typical targetted policies leave all user logins as unrestricted,
adding security for daemons but not getting in the way of users who would
otherwise turn
--- Sean [EMAIL PROTECTED] wrote:
The question is: why not just extend SELinux to include AA functionality
rather than doing a whole new subsystem.
Because, as hard as it seems for some people to believe,
not everyone wants Type Enforcement. SELinux is a fine
implementation of type
12 matches
Mail list logo