Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks)

[Serge E. Hallyn]

Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> On Mon, 2006-04-24 at 08:09 -0500, Serge E. Hallyn wrote:
> > Quoting Arjan van de Ven (arjan@xxxxxxxxxxxxx):
> > > for all such things in the first place. In fact, we already know that to
> > > do auditing, LSM is the wrong thing to do (and that's why audit doesn't
> > > use LSM). It's one of those fundamental linux truths: Trying to be
> > 
> > As I recall it was simply decided that LSM must be "access control
> > only", and that was why it wasn't used for audit.
> 
> no you recall incorrectly.
> Audit needs to audit things that didn't work out, like filenames that
> don't exist. Audit needs to know what is going to happen before the
> entire "is this allowed" chain is going to be followed. SELInux and
> other LSM parts are just one part of that chain, and there's zero
> guarantee that you get to the LSM part in the chain.....  Now of course

Ah yes.  It needed to be authoritative.  I did recall incorrectly.

I suspect some would argue that you are right that LSM is broken, but
only because it wasn't allowed to be authoritative.  Of course that
was to increase chances of LSM upstream inclusion.  Sorry Casey and
Linda, I bet that just makes it sting all the harder if LSM is now
removed for not being sufficiently useful.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/