SMACK meets the One True Security Module
Posted Oct 2, 2007 18:20 UTC (Tue) by flewellyn
Parent article: SMACK meets the One True Security Module
I think the problem here is, we're getting conflicting messages from the SELinux folks. On the one hand, they insist that SELinux is a security architecture, and can be used to create higher-level, more abstract security tools. On the other hand, they insist that SELinux should be usable as-is from userspace, by ordinary administrators.
I don't see these positions as compatible at all. And while I am no expert with SELinux (aside from the developers, does such a thing exist?), from what I understand about it, it IS more suited as an architecture for building security tools, than as a security tool in its own right. So perhaps the SELinux folks should work on making its interface more of a "programmatic" one, and stop emphasizing the userspace tools as security solutions on their own. In other words, to compare to another Linux subsystem, SELinux would be Netfilter to other tools' iptables or shorewall.
to post comments)