> I think that it is on-topic, because it is discussing a feature of LSM that > used to be there, and was removed. Removing that feature breaks SubDomain (we > think). I also disbelieve that it is SubDomain-specific, because I expect SGI > and LIDS to have similar problems. I agree that this is still on-topic. Currently, LIDS uses the inode and device exclusively, so this support in the LMS is not necessary for LIDS to function. LIDS operates by caching the inode/device when the ACL is created with the lidsadm utility. Thus were you to do something like this: protect /etc/passwd rename /etc/passwd to /etc/passwd.bak [1] create /etc/passwd then /etc/group.bak is protected, while /etc/group is not, since the inode followed the file, not the name. However, were LIDS rewritten to use the LSM and the pathname-based data was available, LIDS could have the actions above work as desired. [1] assume that some program is specifically allowed to access this file unprotected, obviously. -- Brian Hatch For every action, Systems and there is an equal Security Engineer and opposite http://www.ifokr.org/bri/ criticism. Every message PGP signed
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 12:40:30 PDT