Re: Making forward progress

• Previous message: Stephen Smalley: "Re: Making forward progress"
• In reply to: jmjonesat_private: "Re: Making forward progress"
• Next in thread: jmjonesat_private: "Re: Making forward progress"
• Next in thread: Stephen Smalley: "Re: Making forward progress"
• Reply: jmjonesat_private: "Re: Making forward progress"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

jmjonesat_private wrote:

> On Mon, 6 Aug 2001, Crispin Cowan wrote:
> > > 1) make hooks authoritative,
> > Not yet.  I'm still waiting to hear whether the promised advantages are
> > real or not.  In particular, I want to know whether Smalley's style of
> > authoritative hooks (DAC-in, DAC-first, send DAC result to module as a
> > parameter, and let the module make the final decision) actually improves
> > SGI's situation.  Richard?
>
> Riddle me this: how are they NOT real?  They allow me to build a module
> that does things differently than the 6 or 7 pre-existing security
> projects, but don't inhibit ANY of them from doing what they desire:
> proving that they can't grant permission when another model (even
> in-kernel) denies.

The "old" benefits (can do more hypothetical stuff) we're aware of, but decided
weren't worth the cost (benefits of simple assurance).  The "new" benefits are that
they may ease the tension between the DAC-firs people and the MAC-first people.  That
is the key.


> > > 2) DON'T buy-in the DAC-OUT yet, but keep an open mind,
> >
> > Sorry, my mind is close on this issue :-)
>
> I'm very sorry to hear this.  I've always advocated you as having an open
> mind, and I don't think there's clear, irrefutable proof to the contrary,
> at this point.

"open minded" means not judging issues you don't yet have evidence for.  We (WireX)
considered it, and gathered tons of evidence that DAC-out is an impractical idea.
Others who went and looked seemed to come to similar conclusions.  I'm tired of
discussing it.  It has no chance of ever succeeding, so we're wasting our time
considering it.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: Making forward progress"
• Previous message: Stephen Smalley: "Re: Making forward progress"
• In reply to: jmjonesat_private: "Re: Making forward progress"
• Next in thread: jmjonesat_private: "Re: Making forward progress"
• Next in thread: Stephen Smalley: "Re: Making forward progress"
• Reply: jmjonesat_private: "Re: Making forward progress"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:38:52 PDT