On Wed, 7 Nov 2001, Casey Schaufler wrote: > jmjonesat_private wrote: > > > Thanks. Their project claims to handle such things as audit and C2, but I > > have no personal knowlege one way or the other. > > > > The claim alone may justify LSM as another project, provided LSM doesn't > > preclude their project. > > > > I'm glad they are proceding in an LSM+Kernel method. > > I think you are reading the message optomistically. (Damn! I Wish I > Could Spell!) I don't see that at all. I see that they looked > at it once, and hope it has evolved to meet their needs, but that > they are not is a position to say one way or the other. > Sorry, but I'm an optimist. I can see your interpretation. > > I believe LSM inclusion is a "done deal", > > I do not share that view. They (we?) followed every "rule" EXCEPT one. I think the PhD weight behind LSM and the code (excellent) will get accepted... unless the counter-argument focusses on that one exception and it turns critical. I really think LSM will get "in", as is... as far as the people HERE, I don't think there is enough weight to sink it. > > > with some concerns about the impact of > > excessively opinionated individuals. > > Now now, let's not cast oil on the waters. Especially with all > these burning matches! (^_^) hey... if they don't find a way to shut ME up, and those LIKE me, there may be a LOT of noise in the "SALE". > > > I hope that the "core members" will > > respond to kernel developer questions, and "back door" the rest of us, for > > advice and opinion. > > The Cabal seems to have a separate channel for communication. > Truth be told, I think they're in the process of wrapping things > up off line, and will present their conclusions to the rabble on > their own schedule. Yeah, I noticed this back about June or July, but I also am of the opinion that it may not be counter to the overall benefit of LSM. I'd thought that a pint or two of beer from SGI had, at least, bought a "consideration", but now I see that was not effective. Actually, if pressed to be truthful, I think it (the authoritative patch) was considered, but lost the "vote"... and I still don't know who gets a vote and who doesn't, here. > > > Our solution is much too invasive to propose to the kernel community as an > > "official inclusion", (unless we get good numbers, like 50% or more > > application) but, then again, we're addressing a very specific > > set of needs (without excluding other needs.) We simply want a Linux that > > is secure for our Customers. Access-Restrictive may actually be secure, > > but audit filtered through AI makes us more comfortable sleeping at night. > > Yes, well, we're not dead yet. Well, with the loss of Authoritative and a few other things, I'm dead with LSM. I can connect to the interface and get some data, but I can't actually CONTROL the security of a system without using other hooks. No huhu. I think MOST systems are running "out-of-the-box" systems with no special security needs... and those systems + a module that is LSM based is probably better than a system without a module. > > > We're admins (Consumers (Customers in the way I understood Greg K-H to > > exclude)) of Linux. > > Exclusion is a bad idea. Inclusion. Solutions for everyone! > No. Exclude people not relevant to the decision matrix: like people who pay/invest money to implement Linux systems. Greg has a point (but my balloon hit it and it popped.) I hope SGI proposes its own solution and some of it is GPL'd, and I expect to provide my own solution for 2.6 that is GPL'd, and I hope that 200 other interests do the same. LSM is NOT the "final solution" we hoped for, but it IS a good solution for a specific set of problems. It is good for Linux, as a whole. > -- > > Casey Schaufler Manager, Trust Technology, SGI > caseyat_private voice: 650.933.1634 > casey_pat_private Pager: 888.220.0607 > Sincerely, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Nov 07 2001 - 18:18:49 PST