Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Stephen Smalley]

On Tue, 2006-04-25 at 20:56 -0700, Casey Schaufler wrote:
> 
> --- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> 
> > On Tue, 2006-04-25 at 09:00 -0700, Casey Schaufler
> > wrote:
> > > The underlying mechanisms are more complex than
> > > Bell & LePadula MAC + Biba Integrity + POSIX Caps.
> > 
> > Until one also considers the set of trusted subjects
> > in systems that
> > rely on such models.
> 
> How so? It's pretty much the same set of subjects
> as you'd find in SELinux.
> 
> > That's the point.  Those subjects are free to
> > violate the "simple" models, at which point any
> > analysis of the
> > effective policy of the system has to include them
> > as well.
> 
> Yup, and you're going to have to provide analysis
> of the subjects under SELinux as well. No way are
> you going to convince anyone that a half-million
> lines of policy definition are 100% error free.
> 
> > SELinux/TE
> > just makes the real situation explicit in the
> > policy, and enables you to
> > tailor the policy to the real needs of applications
> > while still being
> > able to analyze the result.
> 
> This is what I don't get. How can you claim that
> you can analyse a policy definition that big?
> Further, I remember arguments to the effect of
> a programmer being able to knock off the policy
> for a program in 10 minutes. Having written and
> analysed as many MLS systems as anyone on the
> planet you'll excuse my scepicism. And poor speling.

Perhaps we aren't communicating very well.  There are already tools like
apol and slat that perform information flow analysis of SELinux policies
and that can be used to check properties.  

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/