Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching

[david]

On Fri, 15 Jun 2007, Greg KH wrote:

> > > Usually you don't do that by doing a 'mv' otherwise you are almost
> > > guaranteed stale and mixed up content for some period of time, not to
> > > mention the issues surrounding paths that might be messed up.
> >
> >  on the contrary, useing 'mv' is by far the cleanest way to do this.
> >
> >  mv htdocs htdocs.old;mv htdocs.new htdocs
> >
> >  this makes two atomic changes to the filesystem, but can generate thousands
> >  to millions of permission changes as a result.
>
> I agree, and yet, somehow, SELinux today handles this just fine, right?
> :)

no it doesn't, SELinux as-is should take no action when the above command 
is run, but SELinux implementing path-based permissions will have to 
relabel every file or directory in both trees.

> Let's worry about speed issues later on when a working implementation is
> produced, I'm still looking for the logical reason a system like this
> can not work properly based on the expected AA interface to users.

if you are willing to live with the race conditions from the slow 
(re)labeling and write the software to scan the entire system to figure 
out the right policies (and then use inotify to watch the entire system 
for changes and (re)label the appropriate files) and accept that you can't 
get any granular security for filesystems that don't nativly support it 
you could make SELinux behave like AA.

but why should they be required to? are you saying that the LSM hooks are 
not a valid API and should be removed with all future security modules 
being based on SELinux?

David Lang
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/