We've been over this before, but to summaraize and concentrate the
discussions into hopefully a mutually dissapointing conclusion, here goes.
There are two projects (SubDomain, our B1 code) that have mutually
conflicting requirements.
SubDomain has a policy that allows normal DAC checks to procede and then
enforces MAC checks if it gets that far. For its policy (I think of it as
containing), this makes perfect sense.
B1 want to perform the MAC check first, if that is acceptable, then the
normal DAC checks can procede. Partly this is audit driven (if a check
would return a MAC fail, it should, not a DAC fail) partly customer
expectation.
Possible Solutions
==================
Implement DAC before MAC
Pro: No code changes, SubDomain is happy
Con: SGI unhappy, fails litmus test of supporting all reasonable
policies
Implement MAC before DAC
Pro: SGI happy,
Con: SubDomain unhappy, extra work, fails litmus test of
supporting all reasonable policies
Hooks pre and post DAC logic
Pro: Works for both camps
Con: People belive it wont pass muster by the kernel list.
Single Hook to replace all DAC logic
Pro: Works for both camps
Con: Means moving DAC logic out of the kernel into the module,
People belive it wont pass muster by the kernel list,
extra work.
Build time selection of hook placement
#ifdef MAC_BEFORE_DAC
security_ops->hook()
#endif
/* in-line DAC logic */
#ifndef MAC_BEFORE_DAC
security_ops->hook()
#endif
Pro: works for both camps
Con: REALLY ugly, #ifdefs, possibly limits policies that could
be
loaded.
Those are the only options I can see, anyone any others ?
richard.
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 11:57:35 PDT