Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

--- Al Viro [EMAIL PROTECTED] wrote: On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack is the Simplified Mandatory Access Control Kernel. Smack implements mandatory access control (MAC) using labels attached to tasks

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

On Wed, Oct 03, 2007 at 07:17:35PM +0100, Alan Cox wrote: Absolute paths in that kind of thing are _wrong_. You know where the things are on your fs. You don't know if anything else will be visible, let alone whether it will be at the same place in all chroots or namespaces. And no, you

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

--- Al Viro [EMAIL PROTECTED] wrote: On Wed, Oct 03, 2007 at 10:21:08AM -0700, Casey Schaufler wrote: what happens if we want it in two chroot jails with different layouts? As you can only have /smack mounted once, this isn't an issue, but it does present an interesting use case

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

--- Alan Cox [EMAIL PROTECTED] wrote: Absolute paths in that kind of thing are _wrong_. You know where the things are on your fs. You don't know if anything else will be visible, let alone whether it will be at the same place in all chroots or namespaces. And no, you _can't_ make

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

An embedded system that does not have user logins but that does have applications that require separation, perhaps a moble communication device with application download capability, is just one example where the smack symlink implementation provides the required function without requiring

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

--- Alan Cox [EMAIL PROTECTED] wrote: An embedded system that does not have user logins but that does have applications that require separation, perhaps a moble communication device with application download capability, is just one example where the smack symlink implementation provides

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

--- Al Viro [EMAIL PROTECTED] wrote: On Wed, Oct 03, 2007 at 12:51:08PM -0700, Casey Schaufler wrote: Because you throw simple out the window when you require userland assistance to perform this function. Any more than having /tmp replaced with a symlink? Yes. By the way,

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

On Wed, Oct 03, 2007 at 03:23:15PM -0700, Casey Schaufler wrote: 1. Create /moldy at _ 2. For each label you care about 2a. Create /moldy/label 2b. Set the label of /moldy/label to label 3. ln -s /smack/tmp /tmp 1. Create /moldy at _ 2. For each label you care about 2a. Create

Re: [PATCH] Version 4 (2.6.23-rc8-mm2) Smack: Simplified Mandatory Access Control Kernel

On Tue, Oct 02, 2007 at 09:45:42PM -0700, Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack is the Simplified Mandatory Access Control Kernel. Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC,