Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook

From: Pavel Machek
Date: Fri Jun 01 2007 - 09:21:45 EST

Next message: Andi Kleen: "Re: [PATCH 3/5] lockstat: core infrastructure"
Previous message: Pavel Machek: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
In reply to: Valdis . Kletnieks: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> >> Average users are not supposed to be writing security policy. To be
> >> honest, even average-level system administrators should not be
> >> writing security policy.
> That explains so much! "SELinux: you're too dumb to use it, so just keep
> your hands in your pockets." :-)
>
> AppArmor was designed to allow your average sys admin to write a
> security policy. It makes different design choices than SELinux to
> achieve that goal. As a result, AppArmor is an utter failure when
> compared to SELinux's goals, and SELinux in turn is an utter failure
> when compared to AppArmor's goals.

I'd not be that sure. SELinux can read AA config files, with some
performance problems and bad problems with new files.

I bet solving the 'new files' problem is not going to take 20% of AA's
size...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [PATCH 3/5] lockstat: core infrastructure"
Previous message: Pavel Machek: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
In reply to: Valdis . Kletnieks: "Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]