lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <390167.79798.qm@web36613.mail.mud.yahoo.com>
Date:	Wed, 12 Mar 2008 09:21:20 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Stephen Smalley <sds@...ho.nsa.gov>,
	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	Pavel Emelyanov <xemul@...nvz.org>, Greg KH <greg@...ah.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, menage@...gle.com,
	sukadev@...ibm.com, Al Viro <viro@...iv.linux.org.uk>,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup


--- Stephen Smalley <sds@...ho.nsa.gov> wrote:

> 
> ...
> 
> Not sure I'm following the plot here, but please don't do anything that
> will prohibit the use of containers/namespaces with security modules
> like SELinux/Smack.  Yes, that's a legitimate use case, and there will
> be people who will want to do that - they serve different but
> complementary purposes (containers are _not_ a substitute for MAC).  We
> don't want them to be exclusive of one another.

I agree that we ought to be able to (dare I say it?) stack containers
and Smack. I have come around 180 degrees regarding the value of
module stacking and am now convinced that a general mechanism for
it would be a Good Thing. Both SELinux and Smack already provide
for stacking capabilities, and I've been asked by another project to
provide for stacking their module. The alternative to general stacking
looks more and more like each LSM providing for the modules it is
willing to stack with, and that could get painful pretty quickly.

Or, tell me why I'm wrong. I promise to listen nicely. (smiley)


Casey Schaufler
casey@...aufler-ca.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ