Re: [RFC][PATCH 0/11] security: AppArmor - Overview

On Tue, 2006-04-25 at 09:00 -0700, Casey Schaufler wrote:
> The underlying mechanisms are more complex than
> Bell & LePadula MAC + Biba Integrity + POSIX Caps.

Until one also considers the set of trusted subjects in systems that
rely on such models.  That's the point.  Those subjects are free to
violate the "simple" models, at which point any analysis of the
effective policy of the system has to include them as well.  SELinux/TE
just makes the real situation explicit in the policy, and enables you to
tailor the policy to the real needs of applications while still being
able to analyze the result.

> I am not trying to knock SELinux (too hard) in
> this discussion. I do want to point out that many
> of the arguements being used against alternatives
> apply to SELinux as well. I do not understand why
> SELinux developers feel so threatened by alternatives.

We're not threatened by alternatives.  We're concerned about a
technically unsound approach.  The arguments being raised against
pathname-based access control are about the soundness of that technical
approach, not whether there should be any alternatives to SELinux.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html