Linux security non-modules and AppArmor
Posted Jun 28, 2007 11:59 UTC (Thu) by jamesm
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
This has been the problem all along. People refuse to listen to technical arguments.
Once again: you can implement an extremely wide range of policies in SELinux, including "good enough" schemes that trade correctness for simplicty.
This is called policy-flexibility.
You can also add different types of models, at the same time, and have them composed in a coherent manner using consistent kernel and user APIs.
Have a look at the SEEedit project for an AA-like scheme implemented with SELinux.
And before the pathname thing comes up again, please stop and think about what the actual _requirements_ of the user are, what the most appropriate way to model them are in the Linux kernel and what kind of abstraction would then be most appropriate for the user.
Remember, horse before cart.
to post comments)