| |||||||||||||
SELinuxDenyPtrace and security by defaultSELinuxDenyPtrace and security by defaultPosted Apr 12, 2012 15:58 UTC (Thu) by kees (subscriber, #27264)In reply to: SELinuxDenyPtrace and security by default by jake Parent article: SELinuxDenyPtrace and security by default
Right, I give an example of how to stack it:
http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;...
My point being that if Eric Paris was going to write out-of-tree code to handle a case that Yama already handles, why not just use the out-of-tree stacking code instead, and gain all the dynamic policy logic that Yama already provides?
(Log in to post comments)
Let's not go that way Posted Apr 15, 2012 9:48 UTC (Sun) by man_ls (subscriber, #15091) [Link] Perhaps because stacking security modules would be an implicit assumption that SELinux is not always the right solution to security module problems, and somehow question Fedora's choice. In a few releases Fedora might feel even that SELinux is not really needed at all, and stop enabling it by default. Then admins who have taken the pains to learn SELinux (and perhaps even write some 100k-line configuration files) would feel cheated, and turn to Debian or (gasp) Ubuntu for their needs. Finally Red Hat would lose its market valuation and Canonical would start trading in the Nasdaq making Shuttleworth immensely rich again. Finally the world would get noticeably warmer from all the space trips he would make, and in 100 years civilization as we know it would crumble. It's a slippery slope!
|
|||||||||||||