[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0706160101470.7557@asgard.lang.hm>
Date: Sat, 16 Jun 2007 01:09:06 -0700 (PDT)
From: david@...g.hm
To: Greg KH <greg@...ah.com>
cc: Crispin Cowan <crispin@...ell.com>, Pavel Machek <pavel@....cz>,
Andreas Gruenbacher <agruen@...e.de>,
Stephen Smalley <sds@...ho.nsa.gov>, jjohansen@...e.de,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,
pathname matching
On Fri, 15 Jun 2007, Greg KH wrote:
>>> Usually you don't do that by doing a 'mv' otherwise you are almost
>>> guaranteed stale and mixed up content for some period of time, not to
>>> mention the issues surrounding paths that might be messed up.
>>
>> on the contrary, useing 'mv' is by far the cleanest way to do this.
>>
>> mv htdocs htdocs.old;mv htdocs.new htdocs
>>
>> this makes two atomic changes to the filesystem, but can generate thousands
>> to millions of permission changes as a result.
>
> I agree, and yet, somehow, SELinux today handles this just fine, right?
> :)
no it doesn't, SELinux as-is should take no action when the above command
is run, but SELinux implementing path-based permissions will have to
relabel every file or directory in both trees.
> Let's worry about speed issues later on when a working implementation is
> produced, I'm still looking for the logical reason a system like this
> can not work properly based on the expected AA interface to users.
if you are willing to live with the race conditions from the slow
(re)labeling and write the software to scan the entire system to figure
out the right policies (and then use inotify to watch the entire system
for changes and (re)label the appropriate files) and accept that you can't
get any granular security for filesystems that don't nativly support it
you could make SELinux behave like AA.
but why should they be required to? are you saying that the LSM hooks are
not a valid API and should be removed with all future security modules
being based on SELinux?
David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists