On Fri, 3 Aug 2001, Casey Schaufler wrote: > We've raised several issues, including Audit (which has been > defered) alternative DAC mechanisms, and MAC. No one will > be able to do any of these things* with the current scheme. LSM is simply conforming to the scope specified in Linus' mandate. Full-fledged audit isn't in that scope, although many access control modules (such as SELinux) do provide configurable audit/logging of access denials (or even access grantings). Alternative DAC mechanisms can be implemented using LSM - you simply implement your new DAC logic in the module and if you want your logic to completely replace the old DAC logic, your module uses the capable hook to override the old DAC logic. Not terribly efficient, but workable, and Linus didn't authorize us to remove the old DAC logic. MAC can be implemented using LSM. It may not conform to a particular withdrawn standard, but it can be implemented. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 09:36:32 PDT