LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Novell releases AppArmor

Novell releases AppArmor

Posted Jan 17, 2006 2:43 UTC (Tue) by etbe (subscriber, #17516)
In reply to: Novell releases AppArmor by nix
Parent article: Novell releases AppArmor

With SE Linux there are access controls to determine which processes can
create a hard link to a file. For example with the strict policy most
processes on the system are not permitted to create hard links to files
in /etc. I believe that some of the Common Criteria certifications
require that the system label Inodes not file names so any system that
doesn't do something similar to what SE Linux does will not do well in
certification.

In a conventional Unix system there is nothing preventing you from having
a /etc/shadow file in a chroot environment with different permissions to
the "real" one.

A bigger problem for AppArmor is the fact that file specs are relative to
the root of a file system. So /etc/shadow is equivalent
to /home/etc/shadow if /home is a separate file system.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds