From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Morris <jmorris@namei.org>
Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM
 hook
Date: Sat, 26 May 2007 14:45:32 -0400 (EDT)
Message-ID: <Line.LNX.4.64.0705261442000.23020@d.namei>
References: <309300.41401.qm@web36615.mail.mud.yahoo.com>
 <B4A3C582-68F9-4077-B058-03B79A5577EB@mac.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: casey@schaufler-ca.com, Andreas Gruenbacher <agruen@suse.de>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org
To: Kyle Moffett <mrmacman_g4@mac.com>
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <B4A3C582-68F9-4077-B058-03B79A5577EB@mac.com>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On Sat, 26 May 2007, Kyle Moffett wrote:

> AppArmor).  On the other hand, if you actually want to protect the _data_,
> then tagging the _name_ is flawed; tag the *DATA* instead.

Bingo.  

(This is how traditional Unix DAC has always functioned, and is what 
SELinux does: object labeling).


- James
-- 
James Morris
<jmorris@namei.org>