| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0710301713260.8703@asgard.lang.hm> Date: Tue, 30 Oct 2007 17:16:18 -0700 (PDT) From: david@...g.hm To: Peter Dolding <oiaohm@...il.com> cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: Linux Security *Module* Framework (Was: LSM conversion to static interface) On Wed, 31 Oct 2007, Peter Dolding wrote: > MultiAdmin loaded before Selinux breaks Selinux since Multi Admin rules are > applied over using Selinux rules. This is just the way it is stacking LSM's > is Just not healthy you always risk on LSM breaking another. Part of the > reason why I have suggested a complete redesign of LSM. To get away from > this problem of stacking. since the method of stacking hasn't been determined yet, you can't say this. it would be possible for MultiAdmin to grant additional access, that SELinux then denies for it's own reasons. if the SELinux policy is written so that it ignores capabilities, and instead just looks at uid0 then that policy is broken in a stacked environment, but it's the polciy that's broken, not the stacking. yes, there will be interactions that don't make sense, but just becouse something can be used wrong doesn't mean that there aren't other cases where it can be used properly. David Lang - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists