On Fri, 2005-11-18 at 16:02 -0500, James Morris wrote: > I think that integrity verification, attestation and similar should be > implemented as services which can be called on and controlled by SELinux. Yes, or even by another kernel subsystem or LSM if desired. But this requires a major overhaul of the current EVM implementation, this time with an eye toward how something like SELinux would actually use it. > I'd prefer to see the low-watermark model (if justified as a feature of > the upstream kernel) integrated as an option into SELinux rather than > implemented as a separate access control system. It seems that Stephen is > not so keen on the idea, but we'd surely have control over whether the > model was enabled or not. > > Incorporating the model into SELinux means making it part of a large > existing userbase and established community, meaning more testing, > analysis, maintenance etc., which tends to lead to a higher quality of > implementation. Yes, this is certainly true. I'm not convinced of the justification for low water mark, but if it is justified, it does make more sense to extend the Flask architecture and SELinux security server for it as an optional policy component (like the MLS support) rather than introducing a separate LSM altogether. -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Mon Nov 28 2005 - 07:08:36 PST