[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070609193853.GA6663@elf.ucw.cz>
Date: Sat, 9 Jun 2007 21:38:53 +0200
From: Pavel Machek <pavel@....cz>
To: David Wagner <daw-usenet@...erner.cs.berkeley.edu>
Cc: linux-kernel@...r.kernel.org
Subject: Re: AppArmor FAQ
Hi!
> >> Maybe you'd like to confine the PHP interpreter to limit what it can do.
> >> That might be a good application for something like AppArmor. You don't
> >> need comprehensive information flow control for that kind of use, and
> >> it would likely just get in the way.
> >
> >SELinux can do this, it's policy-flexible. You can even simulate a
> >pathame-based policy language with a consequential loss of control:
>
> I have no doubt that SELinux can do that, but that has about as much
> relevance to my point as the price of tea in China does. I can use a
> screwdriver to drive in a nail into my wall, too, if I really wanted to,
> but that doesn't mean toolmakers should stop manufacturing hammers.
Well, we are talking about kernel here, and if screwdrivers work well
enough to drive nails into walls, we'll not allow hammers in.
> My point is that there are some tasks where it's plausible that AppArmor
> might well be a better (easier-to-use) tool for the job. I'm
If SELinux can do the task, AA people are welcome to port their
userland apps to SELinux to make it user friendly. We do _not_ provide
user friendly services in kernel.
Someone wanted shell inside kernel because it is convenient to
him. Too bad, not going to be merged.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists