Re: Some Concrete AppArmor Questions - was Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Casey Schaufler]

--- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:


> But this is a temporary situation, until we have the
> infrastructure and
> tools developed to make MAC truly manageable by
> typical end users.  Not
> an inherent problem.

Oh come on! I've been hearing that saw continueously
since 1987. Mandatory MAC (as opposed to targeted MAC)
is hard on sysadmins. It will remain so. SELinux,
Trusted Solaris, Trusted IRIX, and anyone else are all
a pain in the bum and will remain so. Tools are going
to help only to a limited extent, they never make all
the pain go away. Smarter people than I have been
working on the problem for 20 years and I believe that
it's safe to say there is no magic wand that will
make the problems all go away.

I like MAC. I like the Iron Fist approach to software
security. I just don't believe that there's a glove
with velvet thick enough to please the masses.


Casey Schaufler
casey@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/