Re: Making forward progress

From: Stephen Smalley (sdsat_private)
Date: Fri Aug 03 2001 - 09:34:52 PDT

  • Next message: Stephen Smalley: "Re: Making forward progress"

    On Fri, 3 Aug 2001, Casey Schaufler wrote:
    > We've raised several issues, including Audit (which has been
    > defered) alternative DAC mechanisms, and MAC. No one will
    > be able to do any of these things* with the current scheme.
    LSM is simply conforming to the scope specified in Linus' mandate.
    Full-fledged audit isn't in that scope, although many access control
    modules (such as SELinux) do provide configurable audit/logging of access
    denials (or even access grantings).  
    Alternative DAC mechanisms can be implemented using LSM - you simply
    implement your new DAC logic in the module and if you want your logic to
    completely replace the old DAC logic, your module uses the capable hook
    to override the old DAC logic.  Not terribly efficient, but
    workable, and Linus didn't authorize us to remove the old DAC logic.
    MAC can be implemented using LSM.  It may not conform to a particular
    withdrawn standard, but it can be implemented.
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 09:36:32 PDT