* Henrý Þór Baldursson (henry@f-prot.com) wrote: > > When an access control policy, whose only factor is content, is applied > to a file. That policy should not need to be applied to said file until > its content changes, or a reasonable amount of time has passed. And I, > personally, feel that this functionality belongs in the framework rather > than in something called a "security policy module". 1) Because caching > verdicts has nothing to do with security, it has to do with reducing > latency in the framework's design. 2) Because this would prevent people > from excessively redesigning the wheel and causing code obesity. Of course, to date, this is exactly the type of thing that has been called policy and punted to the security module. The framework is intended to be as thin as possible (read: dumb) and pushes all sense of policy to the module. > My questions are: Has/Should this functionality be implemented in the > framework rather than in security policy modules? What are your opinions > on the matter? No it has not. You aren't the first person to bring this up, but I still see this as something the module should care about. The framework is general, and the criteria for does this vedict still stand seems module specific. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 11:11:21 PST