Quoting Colin Walters (walters@private): > I think there's two strongly related but still separate issues here: > > 1) Whether SELinux can express other access control LSM modules > 2) Should LSM be removed in favor SELinux API calls, and out-of-tree > modules can patch the kernel (as many do). > > My interest in this discussion is 1), which came up because of 2). So > far I have not yet seen an actual access control LSM which isn't better > expressed in SELinux policy. A few years ago, while I was still working on DTE, I was contacted by someone who ran a large web-cgi farm. He wanted to know whether DTE could be used to satisfy his security goals. In particular, he had 100k users who could use a few global cgi scripts, but once they ran cgi scripts under their own directory, those scripts should only be able to access files under their own home directory, with a few predefined exceptions. In addition it shouldn't be "hard" to add or remove users. To express this in TE would require a very large policy, with policy reloads for user add/remove. In contrast, a very simple LSM (dirjail) was able to express the policy efficiently. To take away this kind of flexibility from people actually trying to install real systems should not be done lightly. -serge
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 19:40:01 PDT