[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Line.LNX.4.64.0704172143150.21359@d.namei>
Date: Tue, 17 Apr 2007 21:56:49 -0400 (EDT)
From: James Morris <jmorris@...ei.org>
To: David Wagner <daw@...berkeley.edu>
cc: linux-kernel@...r.kernel.org
Subject: Re: AppArmor FAQ
On Tue, 17 Apr 2007, David Wagner wrote:
> Maybe you'd like to confine the PHP interpreter to limit what it can do.
> That might be a good application for something like AppArmor. You don't
> need comprehensive information flow control for that kind of use, and
> it would likely just get in the way.
SELinux can do this, it's policy-flexible. You can even simulate a
pathame-based policy language with a consequential loss of control:
http://seedit.sourceforge.net/
> might well use AppArmor. They solve different problems and have different
> tradeoffs. There is room for more than one security tool in the world.
That is not the point of this discussion, although we can at least be
thankful that Linus didn't request that the networking layer be pluggable
to the extent that the security layer is, otherwise we'd have a menagerie
of "better" TCP stacks, TOE frameworks, STREAMS modules and whatever other
fantastic ideas that people might be inclined to drag out of the kitchen
sink.
- James
--
James Morris
<jmorris@...ei.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists