From: Valdis.Kletnieks@vt.edu
To: daw-news@taverner.cs.berkeley.edu (David Wagner)
Cc: linux-kernel@vger.kernel.org
Subject: Re: A basic question about the security_* hooks
Date: Sun, 27 Dec 2009 21:08:27 -0500 [thread overview]
Message-ID: <16474.1261966107@localhost> (raw)
In-Reply-To: Your message of "Sun, 27 Dec 2009 20:28:23 GMT." <hh8g17$qlu$1@taverner.cs.berkeley.edu>
[-- Attachment #1: Type: text/plain, Size: 1295 bytes --]
On Sun, 27 Dec 2009 20:28:23 GMT, David Wagner said:
> Read the thread, where you can find the answer *why*. The question has
> already been answered.
That was the *original* use case for Michael Stone's module. However, in the
mail that I was specifically replying to:
On Sun, 27 Dec 2009 13:02:54 +0900, Tetsuo Handa said:
> I believe TOMOYO can safely coexist with other security modules.
> Why TOMOYO must not be used with SELinux or Smack or AppArmor?
> What interference are you worrying when enabling TOMOYO with SELinux or Smack
> or AppArmor?
Tetsuo asked specifically about the issues of composing two MAC implementations,
so I answered that issue as opposed to "composing a MAC with a small LSM".
I agree that composing a MAC system plus something small should be easier -
as far back as April 2002 there was discussion of stacking SELinux and the
OWLSM (openwall/grsecurity style patches). And we've *still* not managed to
get a solution for that issue (though Serge Hallyn did a yeoman job in trying
to get a stacker accepted back in 2004 or so).
I wonder if we need to go look at Serge's patch set again. It's getting tiring
to revisit the issue every 18 months when somebody wants a small LSM, but can't
do it because large MACs have essentially co-opted the interface.
[-- Attachment #2: Type: application/pgp-signature, Size: 227 bytes --]
next prev parent reply other threads:[~2009-12-28 2:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-24 2:29 A basic question about the security_* hooks Michael Stone
2009-12-24 4:50 ` Casey Schaufler
2009-12-24 12:53 ` Eric W. Biederman
2009-12-24 21:55 ` Tetsuo Handa
2009-12-25 0:05 ` Serge E. Hallyn
2009-12-31 17:50 ` David P. Quigley
2010-01-04 2:12 ` Paul Moore
2009-12-24 7:36 ` Evgeniy Polyakov
2009-12-24 18:57 ` Samir Bellabes
2009-12-25 0:14 ` Serge E. Hallyn
2009-12-25 1:11 ` Michael Stone
2009-12-25 5:50 ` Serge E. Hallyn
2009-12-26 19:50 ` Michael Stone
2009-12-27 3:16 ` Serge E. Hallyn
2009-12-27 4:02 ` Tetsuo Handa
2009-12-27 10:56 ` Valdis.Kletnieks
2009-12-27 14:54 ` Serge E. Hallyn
2009-12-27 20:28 ` David Wagner
2009-12-28 2:08 ` Valdis.Kletnieks [this message]
2009-12-28 11:51 ` Tetsuo Handa
2009-12-28 14:45 ` Valdis.Kletnieks
2009-12-28 14:51 ` Valdis.Kletnieks
2009-12-29 13:01 ` Label based MAC + Name based MAC (was Re: A basic question about the security_* hooks) Tetsuo Handa
2010-01-02 13:56 ` A basic question about the security_* hooks Pavel Machek
2009-12-28 15:24 ` Kyle Moffett
2009-12-29 1:43 ` Casey Schaufler
2009-12-29 19:02 ` Kyle Moffett
2009-12-30 19:49 ` Casey Schaufler
2009-12-27 0:33 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16474.1261966107@localhost \
--to=valdis.kletnieks@vt.edu \
--cc=daw-news@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox