On Mon, 21 Oct 2002, Crispin Cowan wrote: > Therefore, the sys_security syscall has been removed. LSM-aware > applications that want to talk to security modules can do so through a > file system interface. This will work for WireX, and Smalley says it > will work for SELinux. I hope it will work for others. Actually, with regard to using a pseudo filesystem interface, I said that we could investigate it, but I have doubts about cleanly supporting the extended forms of existing calls (e.g. execve_secure, mkdir_secure, msgrcv_secure, recvmsg_secure, etc) using such an interface. I raised the same issue when sys_security was originally discussed on the lsm list long ago. SELinux extends the POSIX API to incorporate security (specifically flexible mandatory access control) as a first class notion. However, I understand Christoph's objection to sys_security and am not trying to revive that debate. We can hopefully have a dialogue about the SELinux API with the kernel developers at a later time and come to some consensus on a set of specific system calls that can be added to the kernel to support equivalent functionality to the SELinux API. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 05:24:42 PDT