Re: [PATCH] remove sys_security

From: Stephen Smalley (sdsat_private)
Date: Tue Oct 22 2002 - 05:22:26 PDT

  • Next message: Stephen C. Tweedie: "Re: [PATCH] remove sys_security"

    On Mon, 21 Oct 2002, Crispin Cowan wrote:
    
    > Therefore, the sys_security syscall has been removed. LSM-aware
    > applications that want to talk to security modules can do so through a
    > file system interface. This will work for WireX, and Smalley says it
    > will work for SELinux. I hope it will work for others.
    
    Actually, with regard to using a pseudo filesystem interface, I said that
    we could investigate it, but I have doubts about cleanly supporting the
    extended forms of existing calls (e.g. execve_secure, mkdir_secure,
    msgrcv_secure, recvmsg_secure, etc) using such an interface.  I
    raised the same issue when sys_security was originally discussed on
    the lsm list long ago.  SELinux extends the POSIX API to incorporate
    security (specifically flexible mandatory access control) as a first class
    notion.
    
    However, I understand Christoph's objection to sys_security and am not
    trying to revive that debate.  We can hopefully have a dialogue about the
    SELinux API with the kernel developers at a later time and come to some
    consensus on a set of specific system calls that can be added to the
    kernel to support equivalent functionality to the SELinux API.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 05:24:42 PDT