Re: viewprinting: what format should views be stored in?

[George Beshers <gbeshers@comcast.net>]

[-- Attachment #1: Type: text/plain, Size: 2503 bytes --]


The honest answer is that it has been over a year since I looked at the 
SELinux
stuff.  It is on my to-do list to review what's there.

However, modulo that disclaimer, I believe what we are doing can readily 
become
part of a larger strategy, indeed as you point out, it must to truely 
promote security.
This doesn't bother me in the slightest.  I will feel that the time was 
worthwhile if
our implementation becomes a standard part of a larger security 
apparatus, e.g.,
because we proved that file system masks could scale to multi-terabyte 
repositories.

I will take a gander at the paper you reference this weekend.


Valdis.Kletnieks@vt.edu wrote:

>On Fri, 20 Aug 2004 07:23:24 -0000, David Dabbs said:
>
>  
>
>>Hans and George, what did you find lacking in currently-available Linux security
>>module frameworks such as LIDS or LSM? They provide system function hooks
>>in which module writers may control object access. LSM-based work is on-going. See 
>>http://sic.iaik.tugraz.at/Best%20Paper%20Award/2004/LSM_quaritsch_winkler.pdf
>>for details of their addition of module stacking (multiple policies) and hooks into
>>the TCP layer. I'm going to read up on these frameworks.
>>    
>>
>
>Amen to that - while reading through Hans' summary, I was having a hard time
>figuring out what this was buying us that SELinux doesn't provide. Thanks for the
>pointer to the Quartisch&Winkler paper, as module stacking seems to be heating up.
>The "usual scenario" for what people seem to want with LSM is a MAC system
>like SELinux or LIDS, then zero or more "pathological case" handlers (for
>instance, the 'BSD Securelevels' LSM, or some variant of the OpenWall mods, or
>a chroot/jail module) to harden a specific aspect of the system, and then the
>Capabilities LSM.
>
>The biggest reason for wanting to do security at the LSM level rather than the
>filesystem level is because that way you can *really* secure things (hint -
>your filesystem can be as secure as you want, but if you don't also secure
>stuff like unix-domain sockets or SYSV shared memory segments, 2 cooperating
>processes can end-run an MLS trying to prevent it....)
>
>If there's a specific need that you can't think of how to implement via SELinux
>or the low-level LSM calls, please feel free to ask - if the exact nature of
>the problem is itself sensitive, I can vector you to people over on the spook
>side of the fence who should be able to either help you out or redirect you to
>even spookier people.. ;)
>
>  
>

[-- Attachment #2: Type: text/html, Size: 3170 bytes --]