[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <390167.79798.qm@web36613.mail.mud.yahoo.com>
Date: Wed, 12 Mar 2008 09:21:20 -0700 (PDT)
From: Casey Schaufler <casey@...aufler-ca.com>
To: Stephen Smalley <sds@...ho.nsa.gov>,
"Serge E. Hallyn" <serue@...ibm.com>
Cc: Pavel Emelyanov <xemul@...nvz.org>, Greg KH <greg@...ah.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, menage@...gle.com,
sukadev@...ibm.com, Al Viro <viro@...iv.linux.org.uk>,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup
--- Stephen Smalley <sds@...ho.nsa.gov> wrote:
>
> ...
>
> Not sure I'm following the plot here, but please don't do anything that
> will prohibit the use of containers/namespaces with security modules
> like SELinux/Smack. Yes, that's a legitimate use case, and there will
> be people who will want to do that - they serve different but
> complementary purposes (containers are _not_ a substitute for MAC). We
> don't want them to be exclusive of one another.
I agree that we ought to be able to (dare I say it?) stack containers
and Smack. I have come around 180 degrees regarding the value of
module stacking and am now convinced that a general mechanism for
it would be a Good Thing. Both SELinux and Smack already provide
for stacking capabilities, and I've been asked by another project to
provide for stacking their module. The alternative to general stacking
looks more and more like each LSM providing for the modules it is
willing to stack with, and that could get painful pretty quickly.
Or, tell me why I'm wrong. I promise to listen nicely. (smiley)
Casey Schaufler
casey@...aufler-ca.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists