richard offer wrote: > Its been a few days now since we released our patch and the discussion has > died down, so I think its time to summarize. Good plan. > No one ever came back to say why moving the hooks in-front of the DAC > checks was objectionable, so that seems to be a moot point. WireX cares, but we've been distracted by the path name issue. We would like the DAC checks to come before the MAC checks. The reasoning is somewhat involved. We have a package that semi-automates generation of SubDomain profiles, colloquially known as "bitch mode" :-) Bitch mode enforces the same profiles that SubDomain does, but instead of denying access to files, it just syslogs' the fact that the application accessed a file that was not specifically in the profile. A subsequent batch job reads the syslog and generates profiles. The DAC/MAC check sequence comes into play here because some applications will attempt to access various files that DAC doesn't give them access to, probing to find something it wants. If DAC is checked first, and short-circuited, then Bitch mode won't see these accesses, which is what we want. If MAC is checked first, then Bitch mode will log some spurious entries that should not be generated. Thus we would strongly prefer to have DAC checks first. However, this is something we can kludge around. It'll be ugly, but we'll live. Thus we reserved the LOUD bitching for the path name hook, and will only bitch a little about the DAC/MAC sequence. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 16:44:24 PDT