Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Casey Schaufler]

--- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:

> On Tue, 2006-04-25 at 09:00 -0700, Casey Schaufler
> wrote:
> > The underlying mechanisms are more complex than
> > Bell & LePadula MAC + Biba Integrity + POSIX Caps.
> 
> Until one also considers the set of trusted subjects
> in systems that
> rely on such models.

How so? It's pretty much the same set of subjects
as you'd find in SELinux.

> That's the point.  Those subjects are free to
> violate the "simple" models, at which point any
> analysis of the
> effective policy of the system has to include them
> as well.

Yup, and you're going to have to provide analysis
of the subjects under SELinux as well. No way are
you going to convince anyone that a half-million
lines of policy definition are 100% error free.

> SELinux/TE
> just makes the real situation explicit in the
> policy, and enables you to
> tailor the policy to the real needs of applications
> while still being
> able to analyze the result.

This is what I don't get. How can you claim that
you can analyse a policy definition that big?
Further, I remember arguments to the effect of
a programmer being able to knock off the policy
for a program in 10 minutes. Having written and
analysed as many MLS systems as anyone on the
planet you'll excuse my scepicism. And poor speling.



Casey Schaufler
casey@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/