On Wed, 2005-06-08 at 09:05 -0400, Valdis.Kletnieks@private wrote: > Probably should also > touch on the fact that while just gluing several small modules together > probably isn't the best solution theory-wise, for many sites it's "good enough" > - not every box that needs an LSM or three needs an SELinux-sized solution > (which *does* add into the TCO)... This probably won't fly on lkml unless > you specifically use "there are different correct solutions on the cost/security > curve" as a selling point.... As you might expect, I'd disagree with the notion that gluing several small modules together is a good idea, and not just in theory. Note that SELinux allows for those different correct solutions on the cost/security curve via policy configuration and/or security server modification. The "size" of a SELinux solution is primarily a function of the policy complexity. As far as avtab memory usage is concerned, that can certainly be optimized. Do you really want to encourage proliferation of ad-hoc special purpose LSMs? That would seem to lend itself toward: - fragmentation of already scarce security resources that could instead be working toward a common unified solution, - most LSMs remaining out of tree, - no real review of how these LSMs compose (or should not compose) by people who might be capable of evaluating them (most sysadmins won't be able to perform such analysis on their own), - no stable kernel security model or API due to variances in the set of LSMs present in any given kernel and thus no effective leveraging of any specific security model or API by upstream applications that want to be portable. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Wed Jun 08 2005 - 09:41:49 PDT