lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Line.LNX.4.64.0704171323090.19432@d.namei>
Date:	Tue, 17 Apr 2007 13:47:39 -0400 (EDT)
From:	James Morris <jmorris@...ei.org>
To:	Andi Kleen <andi@...stfloor.org>
cc:	Karl MacMillan <kmacmill@...hat.com>,
	David Safford <safford@...son.ibm.com>,
	John Johansen <jjohansen@...e.de>,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: AppArmor FAQ

On Tue, 17 Apr 2007, Andi Kleen wrote:

> You nicely show one of the major disadvantages of the label model vs the path 
> model here: it requires modification of a lot of applications. 

This is incorrect.

Normal applications need zero modification under SELinux.

Some applications which manage security may need to be made SELinux-aware, 
although this can often be done with PAM plugins, which is a standard way 
to do this kind of thing in modern Unix & Linux OSs.

In any case, it has never been unusual for security-critical Unix/Linux 
apps to be aware of extra security frameworks, and conditionally utilize 
things like kerberos, tcpwrappers, SSL, skey etc.

Also, there's nothing inherent in pathname labeling vs. object labeling 
which makes one model require modification of applications more than the 
other.  You're taking one implementation of each and extrapolating to the 
general case, without even taking into consideration that the 
modifications only refer to security-management functions.

Also, in terms of implementation, these security schemes are quite 
different in their coverage and features, so it's an apples vs. oranges 
comparison anyway.


Thanks,



- James
-- 
James Morris
<jmorris@...ei.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ