Linux security non-modules and AppArmor
Posted Jun 28, 2007 16:34 UTC (Thu) by akumria
In reply to: Linux security non-modules and AppArmor
Parent article: Linux security non-modules and AppArmor
One key concept with this framework is that it is "policy flexible". That is, it implements a clean separation of mechanism and policy.
I actually think this is a big problem with SELinux. As far as I know — and I could be wrong but that's never stopped me before! — the kernel is fairly inflexible with that what the superuser uid must be (i.e. 0).
So, why shouldn't there be an "in-kernel" RBAC security policy, or an "in-kernel" TE (Type Enforcement) security policy implemented directly on-top of LSM.
Your recent patch to disallow unloading of security modules give rise to the question, to me anyway, as to why anyone would want to have RBAC and TE security policy implemented at the same time.
to post comments)