david@xxxxxxx wrote:Still not completely correct, though the targeted policy has an unconfined domain (unconfined_t) the policy still has allow rules for everything unconfined can do, 2 examples of things unconfined still can't do (because they aren't allowed by the targeted policy) is execmem and a while back when there was a /proc exploit that required setattr on /proc/self/environ; unconfined_t wasn't able to do that either (and therefore the exploit didn't work on a targeted system).
On Fri, 8 Jun 2007, Greg KH wrote:That's not quite right:
I still want to see a definition of the AA "model" that we can then usethe way I would describe the difference betwen AA and SELinux is:
to try to implement using whatever solution works best. As that seems
to be missing the current argument of if AA can or can not be
implemented using SELinux or something totally different should be
SELinux is like a default allow IPS system, you have to describe
EVERYTHING to the system so that it knows what to allow and what to stop.
AA is like a default deny firewall, you describe what you want to
happen, and it blocks everything else without you even having to
realize that it's there.
* SELinux Strict Policy is a default-deny system: it specifies
everything that is permitted system wide, and all else is denied.
* AA and the SELinux Targeted Policy are hybrid systems:
o default-deny within a policy or profile: confined processes
are only permitted to do what the policy says, and all else
o default-allow system wide: unconfined processes are allowed
to do anything that classic DAC permissions allow.