Re: A basic question about the security_* hooks
From: Valdis . Kletnieks
Date: Sun Dec 27 2009 - 21:08:36 EST
On Sun, 27 Dec 2009 20:28:23 GMT, David Wagner said:
> Read the thread, where you can find the answer *why*. The question has
> already been answered.
That was the *original* use case for Michael Stone's module. However, in the
mail that I was specifically replying to:
On Sun, 27 Dec 2009 13:02:54 +0900, Tetsuo Handa said:
> I believe TOMOYO can safely coexist with other security modules.
> Why TOMOYO must not be used with SELinux or Smack or AppArmor?
> What interference are you worrying when enabling TOMOYO with SELinux or Smack
> or AppArmor?
Tetsuo asked specifically about the issues of composing two MAC implementations,
so I answered that issue as opposed to "composing a MAC with a small LSM".
I agree that composing a MAC system plus something small should be easier -
as far back as April 2002 there was discussion of stacking SELinux and the
OWLSM (openwall/grsecurity style patches). And we've *still* not managed to
get a solution for that issue (though Serge Hallyn did a yeoman job in trying
to get a stacker accepted back in 2004 or so).
I wonder if we need to go look at Serge's patch set again. It's getting tiring
to revisit the issue every 18 months when somebody wants a small LSM, but can't
do it because large MACs have essentially co-opted the interface.
Attachment:
pgp00000.pgp
Description: PGP signature