| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <16474.1261966107@localhost>
Date: Sun, 27 Dec 2009 21:08:27 -0500
From: Valdis.Kletnieks@...edu
To: daw-news@...erner.cs.berkeley.edu (David Wagner)
Cc: linux-kernel@...r.kernel.org
Subject: Re: A basic question about the security_* hooks
On Sun, 27 Dec 2009 20:28:23 GMT, David Wagner said:
> Read the thread, where you can find the answer *why*. The question has
> already been answered.
That was the *original* use case for Michael Stone's module. However, in the
mail that I was specifically replying to:
On Sun, 27 Dec 2009 13:02:54 +0900, Tetsuo Handa said:
> I believe TOMOYO can safely coexist with other security modules.
> Why TOMOYO must not be used with SELinux or Smack or AppArmor?
> What interference are you worrying when enabling TOMOYO with SELinux or Smack
> or AppArmor?
Tetsuo asked specifically about the issues of composing two MAC implementations,
so I answered that issue as opposed to "composing a MAC with a small LSM".
I agree that composing a MAC system plus something small should be easier -
as far back as April 2002 there was discussion of stacking SELinux and the
OWLSM (openwall/grsecurity style patches). And we've *still* not managed to
get a solution for that issue (though Serge Hallyn did a yeoman job in trying
to get a stacker accepted back in 2004 or so).
I wonder if we need to go look at Serge's patch set again. It's getting tiring
to revisit the issue every 18 months when somebody wants a small LSM, but can't
do it because large MACs have essentially co-opted the interface.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists