Re: [RFC] TOMOYO Linux

From: Toshiharu Harada
Date: Wed Jun 13 2007 - 19:18:35 EST


Morris, thank you for your comment.

2007/6/14, James Morris <jmorris@xxxxxxxxx>:
On Thu, 14 Jun 2007, Toshiharu Harada wrote:

> TOMOYO Linux has a mode called "learning"
> in addition to "permissive" and "enforce". You can easily
> get the TOMOYO Linux policy with learning mode that
> SELinux does not have.

Blindly generating security policy through observation of the system is
potentially dangerous for many reasons.
See
<http://securityblog.org/brindle/2006/03/25/security-anti-pattern-status-quo-encapsulation/>


When I saw Russell Coker and showed him a demonstration of
TOMOYO Linux, he told the same comment.
Also after tracing an AppAmor's long thread, I'm convinced of the
meaning of label base. That's why I don't think TOMOYO Linux as a
replace of SELinux. "Professional policy (or reference policy)"
makes sense to me.

However it may be safe for audition and profiling purpose.
Policy learning feature of TOMOYO Linux will help
understanding the behavior of Linux boxes.
That is my point.

I will double check the link you showed me. Thank you.
(It's wonderful to receive comments from you and Stephen!)

Note that while SELinux does also have a similar capability with the
audit2allow tool, it should be considered an expert tool, the output of
which needs to be understood before use (as noted in its man page).

Yes. But I remember Frank said "don't use it :-)" when he gave a
presentation in Japan.

> In addition, access control mode of
> TOMOYO Linux can be managed for every difference domain.

We have considered per-domain enforcing mode a couple of times in the
past, but figured that it could be implemented via policy alone (e.g. run
the task in a domain where all accesses are allowed and logged); and it
would also be of limited usefulness because of the aforementioned problems
with learning mode security policy.

I'll reply this part in later.

Thanks!
Toshiharu Harada
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/