Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11]security: AppArmor - Overview

[Stephen Smalley]

On Thu, 2006-04-27 at 16:44 -0700, Chris Wright wrote:
> * Karl MacMillan (kmacmillan@xxxxxxxxxx) wrote:
> > While this is example of labeling issues with SELinux is correct for a
> > standard targeted policy, it does not represent an intrinsic problem
> > with the SELinux mechanism. A policy that has the appropriate
> > specialized domains for reading /etc/shadow and corresponding
> > type_transition rules can prevent this mislabeling. The solution may not
> > be very satisfying because of the changes it makes to how systems are
> > typically administered, but at least it does exist within the SELinux
> > model. The same cannot be said of the problems introduced by path-based
> > mechanisms.
> 
> Indeed, I tried to be quite specific to targeted policy.  The point
> is that having unconfined domains makes it very challenging to reason
> about the security of the system.  So, while comprehensive strict policy
> addresses that, it's also what nearly guarantees turning security off
> for most normal general purpose machines ;-)

But this is a temporary situation, until we have the infrastructure and
tools developed to make MAC truly manageable by typical end users.  Not
an inherent problem.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/