lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200706042303.28785.agruen@suse.de>
Date:	Mon, 4 Jun 2007 23:03:28 +0200
From:	Andreas Gruenbacher <agruen@...e.de>
To:	Pavel Machek <pavel@....cz>
Cc:	jjohansen@...e.de, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Tuesday 15 May 2007 11:20, Pavel Machek wrote:
> Hi!
> 
> > Pathname matching, transition table loading, profile loading and
> > manipulation.
> 
> So we get small interpretter of state machines, and reason we need is
> is 'apparmor is misdesigned and works with paths when it should have
> worked with handles'.

I assume you mean labels instead of handles.

AppArmor's design is around paths not labels, and independent of whether or 
not you like AppArmor, this design leads to a useful security model distinct 
from the SELinux security model (which is useful in its own ways). The 
differences between those models cannot be argued away, neither is a subset 
of the other, and neither is a misdesign. I would be thankful if you could 
stop spreading this lie.

> If you solve the 'new file problem', aa becomes subset of selinux.
> And I'm pretty sure patch will be nicer than this. 

You are quite mistaken. SELinux turns pathnames into labels when it initially 
labels all files (when a policy is rolled out), whereas AppArmor computes 
the "label" of each file when a file is opened. The two models start to 
diverge as soon as files are renamed: in SELinux, labels stick with the 
files. In AppArmor, "labels" stick with the names.

So what you advocate for is a hybrid between the SELinux and the AppArmor 
model, not a superset.

It could be that the SELinux folks will solve the issues they are having with 
new files using something better than restorecond in the future, perhaps even 
an in-kernel mechanism (although I somewhat doubt it). But then again, their 
basic model makes sense even without any live file relabeling, and so that's 
probably not very high up on the priority list.

Andreas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ