Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Stephen Smalley]

On Wed, 2006-04-19 at 02:40 -0400, Kyle Moffett wrote:
> On Apr 18, 2006, at 21:48:56, Casey Schaufler wrote:
> > --- James Morris <jmorris@xxxxxxxxx> wrote:
> >> With pathnames, there is an unbounded and unknown number of  
> >> effective security policies on the system, as there are an
> >> unbounded and unknown number of ways of viewing the files via  
> >> pathnames.
> >
> > I agree that for traditional DAC and MAC (including the flavors  
> > supported by SELinux) inodes is the only way to go. SELinux is a  
> > traditional Trusted OS architecture and addresses the traditional  
> > Trusted OS issues.
> 
> Perhaps the SELinux model should be extended to handle (dir-inode,  
> path-entry) pairs.  For example, if I want to protect the /etc/shadow  
> file regardless of what tool is used to safely modify it, I would set  
> up security as follows:

SELinux already provides a way to protect /etc/shadow, in a much
stronger way.  It does require some library/application modifications
(already present in some distros) to preserve a different security label
on files containing shadow data than on files containing public passwd
data, but that is no different than the existing approach for preserving
different file modes on those files.  It doesn't require the kernel to
deal with pathnames itself.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/