On Wed, 18 Apr 2007, David Lang wrote:

> SELinux is designed to be able to make the box safe against root, AA is
> designed to let the admin harden exposed apps without having to think about
> the other things on the system.

This is not correct.

SELinux was designed as an access control framework which allows various 
security models to be composed in a controlled and consistent manner, 
covering all security-relevant interactions in the system.

The type enforcement model included with it provides a means to address 
both integrity and confidentiality requirements.  It _can_ protect you 
against root, if that's what you want (in fact, the Russell Coker "play 
box" was online for many years with a published root password), but it 
does not have to.

Indeed, since Fedora Core 3, the default SELinux policy has been 
"targeted", which is aimed at confining exposed applications.



- James
-- 
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to