lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 14 Jun 2007 07:25:21 +0900
From:	"Toshiharu Harada" <haradats@...il.com>
To:	"Rik van Riel" <riel@...hat.com>
Cc:	"Stephen Smalley" <sds@...ho.nsa.gov>,
	"Toshiharu Harada" <haradats@...data.co.jp>,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [RFC] TOMOYO Linux

2007/6/14, Rik van Riel <riel@...hat.com>:
> Toshiharu Harada wrote:
> > 2007/6/14, Rik van Riel <riel@...hat.com>:
> > SELinux has a well designed robust and flexible functions.
> > So it should be used for everywhere.  I understand it.
> > As you mentioned one can analyze the system (process)
> > behaviors from AVC logs. But the maintenance cost is not trivial.
> >
> > If logging with process context is the only purpose,
> > current TOMOYO Linux can do it with no hustle at all.
>
> Yes, but so does standard SELinux.
>
> You are making me curious: what does TOMOYO do that is
> not done by regular SELinux?
>
> Logging with process name, path name and contexts is
> already done.  I must have missed some other TOMOYO
> feature in your initial email...

I see SELinux can log with process name, path name and
contexts, but "contexts" must be defined beforehand.
TOMOYO Linux kernel does that with pathname, so no
label definitions needed.
You can confirm the process (domain) transitions any time
and access occurred are clarified per domain basis automatically.
Security context in TOMOYO Linux is represented and stored
as a call chain and very intuitive.

TOMOYO Linux has a mode called "learning"
in addition to "permissive" and "enforce". You can easily
get the TOMOYO Linux policy with learning mode that
SELinux does not have. In addition, access control mode of
TOMOYO Linux can be managed for every difference domain.

-- 
Toshiharu Harada
haradats@...il.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ