lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19578.1187557961@turing-police.cc.vt.edu>
Date:	Sun, 19 Aug 2007 17:12:41 -0400
From:	Valdis.Kletnieks@...edu
To:	Kyle Moffett <mrmacman_g4@....com>
Cc:	casey@...aufler-ca.com, Pavel Machek <pavel@....cz>,
	linux-security-module@...r.kernel.org,
	LKML Kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel

On Sat, 18 Aug 2007 01:29:58 EDT, Kyle Moffett said:

> XFCE.  If you can show me a security system other than SELinux which  
> is sufficiently flexible to secure those 2 million lines of code  
> along with the other 50 million lines of code found in various pieces  
> of software on my Debian box then I'll go put on my dunce hat and sit  
> in the corner.

/me hands Kyle a dunce cap. :)

Unfortunately, I have to agree that both AppArmor and Smack have at least
the potential of qualifying as "securing the 2M lines of code".

The part that Kyle forgot was what most evals these days call the "protection
profile" - What's the threat model, who are you defending against, and just
how good a job does it have to do?  I'll posit that for a computer that
is (a) not networked, (b) doesn't process sensitive information, and (c) has
reasonable physical security, a security policy of "return(permitted);" for
everything may be quite sufficient.

(Of course, I also have boxes where "the SELinux reference policy with all
the MCS extensions plus all the LSPP work" is someplace I'm trying to get to).

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ