Re: what's next for the linux kernel?

[Helge Hafting]

Valdis.Kletnieks@xxxxxx wrote:

> The part that you managed to miss is that this is MAC - *Mandatory*
> Access Control.  This means that the *sysadmin* gets to say "this user
> can't look at that file" - and there's nothing(*) either the owner of the
> file or the user can do about it.  There's no chmod or chattr or chacl
> command that the owner can issue to let somebody else read it - that's
> the whole *point* of MAC.
>
> (*) Well.. almost nothing.  The owner *may* be able to copy the contents
> of the file to another file that the other user is allowed to read.  On the
> other hand, the ability to do this would generally indicate a buggy policy....
>  
Seems to me there is no use taking away the owners ability to chmod,
precisely because the owner always can get around that. (Unless
the owner doesn't even have the right to read his own file.)

You can have a restricted "copy" program, but nothing prevents a
user from making his own copy program, if he can read the file.
Or the user can load the file into the intended app, and "save as"
to some other filename and directory.  Or the user can do a screendump,
or even take a picture of the screen. 

Company policy may of course forbid the user to bring a camera, just as it
might forbid the user to do "chmod o+r" on important files.  I am not
sure that we need the OS to try to enforce such things. 

Helge Hafting

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/