Re: MAC before DAC vs DAC before MAC

• Previous message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Greg KH: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Crispin Cowan  wrote:
>That looks like an authoritative hook to me.  Bad logic in the module could
>result in an override of kernel DAC logic.
>
>I've argued long & hard against permissive and authoritative hooks.  I'll
>have to think about which one I want more: the simple assurance property, or
>DAC/MAC sequence the way I want it.

Yes, thank you very much for pointing this out.  This is a big downside
to the approach I suggested, which I somehow overlooked at the time, and
it might be the spike in the coffin that kills this approach to ordering.

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: Patch Acceptance Procedure"
• Previous message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• In reply to: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Greg KH: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 22:35:50 PDT