[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48E33397.1030709@nttdata.co.jp>
Date: Wed, 01 Oct 2008 17:23:51 +0900
From: Kentaro Takeda <takedakn@...data.co.jp>
To: Valdis.Kletnieks@...edu
CC: Casey Schaufler <casey@...aufler-ca.com>,
"Serge E. Hallyn" <serue@...ibm.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, haradats@...data.co.jp,
Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
Al Viro <viro@...IV.linux.org.uk>
Subject: Re: [TOMOYO #9 (2.6.27-rc7-mm1) 1/6] LSM adapter functions.
Valdis.Kletnieks@...edu wrote:
> On Tue, 30 Sep 2008 19:33:32 PDT, Casey Schaufler said:
>> I have always believed that MAC should come first, then DAC, because
>> MAC may care if you can see the mode bits. The current DAC before MAC
>> is an artifact of the desire for the LSM to behave cleanly as a
>> strictly additional mechanism. From an ideal security perspective
>> MAC should be first, but the pragmatic DAC first isn't going to cause
>> too much grief. If Tomoyo wants to do what I think is the right thing,
>> well, it's OK with me.
> I'm OK with the MAC going first as well
Current implementation is as follows.
- security_path_*: MAC before DAC
- security_inode_*: DAC before MAC
I can understand Casey and Valdis' MAC first approach from the ideal
security perspective. However, from the pragmatic perspective, we
prefer DAC before MAC approach as SELinux does. This approach doesn't
change error code returned to callers if requested access is denied
by DAC.
Regards,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists