lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <999952.62855.qm@web36615.mail.mud.yahoo.com>
Date:	Fri, 8 Jun 2007 14:54:02 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Pavel Machek <pavel@....cz>,
	David Wagner <daw-usenet@...erner.cs.berkeley.edu>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook


--- Pavel Machek <pavel@....cz> wrote:


> AA solves less problems than SELinux does.

And vi solves less problems than OpenOffice.
vi is good for a different set of purposes than OpenOffice.
AA and SELinux both aspire to being Security Solutions,
but that does not make either a subset of the other.

> Some people like AA more,
> but I guess they should just learn SELinux.

Knowing the people involved I would suggest that the AA people
did learn SELinux, and came to their own conclusions regarding
it's applicability to their needs, and that those conclusions
are not the same as yours.
 
> And yes, I'm afraid this discussion is relevant on l-k, because we
> should have very good reasons before merging duplicate functionality.

'cmon, you know better than to claim that this is duplicate
functionality. No one is arguing that. The arguments have been
that the conceptual basis of named based access control are flawwed.
As that argument has failed to move the AA adherants, the old sawhorse
that SELinux does everything, or could be made to if you sweated the
policy hard enough, got pulled out. No evidence to that effect,
mind you, but the old "waves paw" nonetheless.

SELinux is the finest implementation of Type Enforcement on the planet.
TE does not match everyone's definition of security. AA is an
alternative that clearly has as tough a roe to hoe as SELinux did
in 2001, when it was up against MLS system vendors who compared it
to Froot Loops. Alternatives, even those that you don't personally
care for, are good for you.



Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ