Re: [TOMOYO #9 (2.6.27-rc7-mm1) 1/6] LSM adapter functions.

[Kentaro Takeda]

Valdis.Kletnieks@xxxxxx wrote:
> On Tue, 30 Sep 2008 19:33:32 PDT, Casey Schaufler said:
>> I have always believed that MAC should come first, then DAC, because
>> MAC may care if you can see the mode bits. The current DAC before MAC
>> is an artifact of the desire for the LSM to behave cleanly as a
>> strictly additional mechanism. From an ideal security perspective
>> MAC should be first, but the pragmatic DAC first isn't going to cause
>> too much grief. If Tomoyo wants to do what I think is the right thing,
>> well, it's OK with me.
> I'm OK with the MAC going first as well
Current implementation is as follows.
- security_path_*: MAC before DAC
- security_inode_*: DAC before MAC
I can understand Casey and Valdis' MAC first approach from the ideal 
security perspective. However, from the pragmatic perspective, we 
prefer DAC before MAC approach as SELinux does. This approach doesn't 
change error code returned to callers if requested access is denied 
by DAC.

Regards,

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/