david@xxxxxxx wrote:On Sun, 10 Jun 2007, Pavel Machek wrote:But you have that regex in _user_ space, in a place where policy
is loaded into kernel.
then the kernel is going to have to call out to userspace every time a
file is created or renamed and the policy is going to be enforced
incorrectly until userspace finished labeling/relabeling whatever is
moved. building this sort of race condigion for security into the kernel
is highly questionable at best.
AA has regex parser in _kernel_ space, which is very wrong.
see Linus' rants about why it's not automaticaly the best thing to move
functionality into userspace.
remember that the files covered by an AA policy can change as files are
renamed. this isn't the case with SELinux so it doesn't have this sort
of problem.
How about using the inotify interface on / to watch for file changes and
updating the SELinux policies on the fly. This could be done from a
userspace daemon and should require minimal SELinux changes.
The only possible problems I can see are the (hopefully) small gap
between the file change and updating the policy and the performance
problems of watching the whole system for changes.