Stephen Smalley wrote: > On Mon, 13 Aug 2001, Chris Wright wrote: > > * name vs. inode (as Serge pointed out, we may have a solution in 2.5, > > see http://acl.bestbits.at/pipermail/acl-devel/2001-August/000734.html) > I thought that this was resolved, pending submission of a specific proposal > from WireX for new hooks that would meet their needs. If 2.5 is going to > solve your problem anyway, then so much the better. Yes, that's correct. We found it difficult to do, but this statement from AL Viro makes it much easier. > > * in-kernel check vs. lsm-check ordering > I thought that this was resolved, with the decision being that we place the > LSM hooks after the DAC logic whenever feasible. This was already the case > for many of the hooks, and I think I moved the remaining ones when feasible. I agree with that, but wasn't convinced we had actually established a consensus. In particular, I want to know whether shifting from restrictive to authoritative hooks eases SGI's issue with DAC-first. > > * all in-kernel checks to module > > This seems to have been resolved by the recent posting by Ted Ts'o. I agree, but again wanted to actually get a consensus. > > anything else? > > Yes, I would suggest that we also discuss the following: > > * status and plans for the capabilities module > * controlling Unix domain sockets that use the abstract namespace > * Ted's comments about making LSM a configuration option, using > macros, etc. > * plans for submitting a patch to the kernel developers Excellent points. Thanks, Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 08:28:20 PDT