[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9d732d950706131618t6027f1a3xd840dde9cd7c0337@mail.gmail.com>
Date: Thu, 14 Jun 2007 08:18:19 +0900
From: "Toshiharu Harada" <haradats@...il.com>
To: "James Morris" <jmorris@...ei.org>
Cc: "Rik van Riel" <riel@...hat.com>,
"Stephen Smalley" <sds@...ho.nsa.gov>,
"Toshiharu Harada" <haradats@...data.co.jp>,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [RFC] TOMOYO Linux
Morris, thank you for your comment.
2007/6/14, James Morris <jmorris@...ei.org>:
> On Thu, 14 Jun 2007, Toshiharu Harada wrote:
>
> > TOMOYO Linux has a mode called "learning"
> > in addition to "permissive" and "enforce". You can easily
> > get the TOMOYO Linux policy with learning mode that
> > SELinux does not have.
>
> Blindly generating security policy through observation of the system is
> potentially dangerous for many reasons.
> See
> <http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/>
>
When I saw Russell Coker and showed him a demonstration of
TOMOYO Linux, he told the same comment.
Also after tracing an AppAmor's long thread, I'm convinced of the
meaning of label base. That's why I don't think TOMOYO Linux as a
replace of SELinux. "Professional policy (or reference policy)"
makes sense to me.
However it may be safe for audition and profiling purpose.
Policy learning feature of TOMOYO Linux will help
understanding the behavior of Linux boxes.
That is my point.
I will double check the link you showed me. Thank you.
(It's wonderful to receive comments from you and Stephen!)
> Note that while SELinux does also have a similar capability with the
> audit2allow tool, it should be considered an expert tool, the output of
> which needs to be understood before use (as noted in its man page).
Yes. But I remember Frank said "don't use it :-)" when he gave a
presentation in Japan.
> > In addition, access control mode of
> > TOMOYO Linux can be managed for every difference domain.
>
> We have considered per-domain enforcing mode a couple of times in the
> past, but figured that it could be implemented via policy alone (e.g. run
> the task in a domain where all accesses are allowed and logged); and it
> would also be of limited usefulness because of the aforementioned problems
> with learning mode security policy.
I'll reply this part in later.
Thanks!
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists