Re: about the multiple security module in LSM

From: Chris Wright (chrisw@private)
Date: Thu Sep 09 2004 - 09:40:17 PDT


* Joshua Brindle (jbrindle@private) wrote:
> Shouldn't there just be a file for each hook instead of this awkward syntax?
> echo "(selinux and capabilities) or backdoor" > 
> /sys/security/stacker/inode_permission
> 
> echo "selinux and capabilities" > /sys/security/stacker/default
> 

What do you do if you leave out a module on a hook?  Not consider it's
result?  AFAICT, this way lies madness...

> SELinux is flexible enough that starting a new MAC implementation from 
> scracth should be really a last resort.

Writing your own MAC implementation should be the first thing you
consider when your desire is to write a MAC implementation.  "Ext3 is a
flexible filesystem, don't write a new one..."  SELinux should be your
last consideration when your goal is to innovate.  Scratch your own itch
and all that...

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net



This archive was generated by hypermail 2.1.3 : Thu Sep 09 2004 - 09:40:35 PDT