On Sat, 29 Sep 2007 17:20:36 -0700 Casey Schaufler [EMAIL PROTECTED] wrote:
Smack is the Simplified Mandatory Access Control Kernel.
I don't know enough about security even to be dangerous. I went back and
reviewed the August thread from your version 1 submission and the message I
take away
On Sun, Sep 30, 2007 at 01:16:18AM -0700, Andrew Morton wrote:
reviewed the August thread from your version 1 submission and the message I
take away is that the code has been well-received and looks good when
considered on its own merits, but selinux could probably be configured to
do
--- Andrew Morton [EMAIL PROTECTED] wrote:
On Sat, 29 Sep 2007 17:20:36 -0700 Casey Schaufler [EMAIL PROTECTED]
wrote:
Smack is the Simplified Mandatory Access Control Kernel.
I don't know enough about security even to be dangerous. I went back and
reviewed the August thread from
--- Andi Kleen [EMAIL PROTECTED] wrote:
- Smack.txt and the website seem a bit skimpy. Is there enough
documentation out there for someone to usefully (and, more importantly,
safely) start using smack?
Yes that's the important thing.
- In his review of version 1, Andi
--- Christoph Hellwig [EMAIL PROTECTED] wrote:
On Sun, Sep 30, 2007 at 01:16:18AM -0700, Andrew Morton wrote:
reviewed the August thread from your version 1 submission and the message I
take away is that the code has been well-received and looks good when
considered on its own merits, but
It does the job going off box, too.
It does not as far as I can see. The IETF seems to have had very good
reasons to never advance that draft any further.
The authentication issues are very real, but a separate issue.
First rule of network security: don't trust the network. And you seem
to
CIPSO is supported on SELinux as well.
That's no reason to extend that design mistake.
It certainly has uses where IPSec
is excessive. One example is someone I talked to recently that basically
has a set of blade systems connected with a high speed backplane that
looks like a network
Andi Kleen wrote:
- hm, netlabels. Who might be a suitable person to review that code?
Seems that Paul Moore is the man. Maybe he'd be interested in taking a
look over it (please?)
I personally consider these IP options it uses to be pretty useless. Who could
ever use that without
On Sun, Sep 30, 2007 at 07:39:57PM +0200, Andi Kleen wrote:
CIPSO also lets systems like SELinux and SMACK talk to other trusted
systems (eg., trusted solaris) in a way they understand.
Perhaps, but is the result secure? I have severe doubts.
As always, it depends on your environment.
Yes, normally the network is outside the Trusted Computing Base (TCB),
Normally as in the 99.9% case.
but a cluster of Linux machines in a rack is roughly the same size of
a huge Unix server tens year ago --- and it's not like Ethernet is any
more secure than the PCI bus.
PCI busses
On Sunday 30 September 2007 3:07:42 pm Theodore Tso wrote:
There are different kinds of security. Not all of them involve
cryptography and IPSEC. Some of them involve armed soldiers and air
gap firewalls. :-)
Yes, normally the network is outside the Trusted Computing Base (TCB),
but a
On Sun, Sep 30, 2007 at 10:05:57PM +0200, Andi Kleen wrote:
but a cluster of Linux machines in a rack is roughly the same size of
a huge Unix server tens year ago --- and it's not like Ethernet is any
more secure than the PCI bus.
PCI busses normally don't have routers to networks
On Sunday 30 September 2007 4:16:18 am Andrew Morton wrote:
- hm, netlabels. Who might be a suitable person to review that code?
Seems that Paul Moore is the man. Maybe he'd be interested in taking a
look over it (please?)
Yep, I've been tracking Casey's work on this since the first
On Sun, 30 Sep 2007, Andi Kleen wrote:
The authentication issues are very real, but a separate issue.
First rule of network security: don't trust the network.
This I agree with
Without authentication it's completely useless. I don't understand
how you can disregard that as separate issue.
--- Serge E. Hallyn [EMAIL PROTECTED] wrote:
...
+A process can see the smack label it is running with by
+reading /proc/self/attr/current. A privileged process can
+set the process smack by writing there.
Ok, so to control smack label transitions, basically you would
run with
15 matches
Mail list logo