On Fri, 25 Jan 2002, Stephen Smalley wrote: > 2) Some access control systems (definitely SELinux, don't know about > others) provide an enhanced API for security-aware applications that > permits them to query the policy (if authorized by the policy to perform > such queries). The SELinux API is discussed in the Freenix paper, and at > greater length in the technical report. > > Of course, these facilities aren't standardized in any way across > different security modules. Yes, this is the function that I envision needing, and had hoped there might be some possibility of providing some minimally common interface to query the policy (or more specifically, test an access against a specified policy other than their own) by applications with permission to do so. The stalwart rejection of such commonality is probably good design/security thinking, but not having a common means to do this thing which I think may prove a common need is an inconvenience, IMHO. *SHRUG* :) It would probably be impossible to design a flexible enough call, anyway, to address the supported diversity of modules. > > -- > Stephen D. Smalley, NAI Labs > ssmalleyat_private > Thanks, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 08:32:35 PST