| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Dec 2009 09:51:46 -0500
From: Valdis.Kletnieks@...edu
To: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc: serge@...lyn.com, serue@...ibm.com, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: A basic question about the security_* hooks
On Mon, 28 Dec 2009 20:51:49 +0900, Tetsuo Handa said:
(Hit send too soon)
> Both SELinux and TOMOYO have ability to cover all processes (from /sbin/init
> till /sbin/poweroff) or targeted processes (e.g. only daemons). But SELinux is
> not widely used for protecting all processes. TOMOYO can provide some
> protection for processes which SELinux doesn't protect.
OK, this was what I was talking about - what processes does TOMOYO protect
that SELinux doesn't? Or are you suggesting "use TOMOYO when using the SELinux
'targeted' policy that only tracks some processes"? It would seem that a better
solution there would be to just go ahead and use the 'strict' or 'mls' policies
if you want coverage of all processes - having some processes under SELinux
and some under TOMOYO rules is just asking for confusion...
> Also, people know we sometimes need to restrict string parameters for avoiding
> unwanted consequence. TOMOYO can pay attention to string parameters whereas
> SELinux can't.
Which string parameters are these? Perhaps a better approach than trying to
layer all of TOMOYO on SELinux is to create a small targeted "look at string
parameters" LSM and run *that* on top. Would require LSM stacking, but so would
doing all of TOMOYO.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists