Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Chris Wright]

* Karl MacMillan (kmacmillan@xxxxxxxxxx) wrote:
> While this is example of labeling issues with SELinux is correct for a
> standard targeted policy, it does not represent an intrinsic problem
> with the SELinux mechanism. A policy that has the appropriate
> specialized domains for reading /etc/shadow and corresponding
> type_transition rules can prevent this mislabeling. The solution may not
> be very satisfying because of the changes it makes to how systems are
> typically administered, but at least it does exist within the SELinux
> model. The same cannot be said of the problems introduced by path-based
> mechanisms.

Indeed, I tried to be quite specific to targeted policy.  The point
is that having unconfined domains makes it very challenging to reason
about the security of the system.  So, while comprehensive strict policy
addresses that, it's also what nearly guarantees turning security off
for most normal general purpose machines ;-)

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/