Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

From: Serge E. Hallyn
Date: Mon Apr 24 2006 - 08:55:33 EST


Quoting Alan Cox (alan@xxxxxxxxxxxxxxxxxxx):
> On Llu, 2006-04-24 at 10:24 +0200, Lars Marowsky-Bree wrote:
> > On 2006-04-23T05:45:34, Valdis.Kletnieks@xxxxxx wrote:
> >
> > > > AppArmor are not likely to put careful thought into the policies that
> > > > they use?
> > > They're not likely to put careful thought into it, *AND* that saying things
> > > like "AppArmor is so *simple* to configure" only makes things worse - this
> > > encourages unqualified people to create broken policy configurations.
> >
> > That is about the dumbest argument I've heard so far, sorry.
>
> Its the conclusion of most security experts I know that broken security
> is worse than no security at all.

who is the one here showing blind faith in their security? :)

Now don't get me wrong, I run static analysis tools against selinux
pretty regularly, and while the userspace tools get more and more scary
(as they are under development), the only thing I find in the kernel
code is the occasional unused variable. And I'm not arguing any flaws
in the model, which indeed is more robust than the AA model. But if
anyone is certain there are/can be no bugs in the rest of the kernel
which can circumvent selinux, or has perfect faith in their policy, then
your statement likely applies to them.

So as long as the kernel is under development, then by your logic one
might argue that using selinux, even if it is perfect in itself, is more
dangerous than using nothing.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/