User: Password:
Subscribe / Log in / New account

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

From:  Stephen Smalley <>
To:  Linus Torvalds <>
Subject:  Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel
Date:  Mon, 01 Oct 2007 11:40:39 -0400
Message-ID:  <>
Cc:  James Morris <>, Andrew Morton <>,,,
Archive-link:  Article

On Mon, 2007-10-01 at 08:07 -0700, Linus Torvalds wrote:
> On Mon, 1 Oct 2007, James Morris wrote:
> > 
> > Merging Smack, however, would lock the kernel into the LSM API.  
> > Presently, as SELinux is the only in-tree user, LSM can still be removed.
> Hell f*cking NO!
> You security people are insane. I'm tired of this "only my version is 
> correct" crap. The whole and only point of LSM was to get away from that.
> And anybody who claims that there is "consensus" on SELinux is just in 
> denial.
> People are arguing against other peoples security on totally bogus points. 
> First it was AppArmor, now this.
> I guess I have to merge AppArmor and SMACK just to get this *disease* off 
> the table. You're acting like a string theorist, claiming that t here is 
> no other viable theory out there. Stop it. It's been going on for too damn 
> long.

You argued against pluggable schedulers, right?  Why is security

Do you really want to encourage people to roll their own security module
rather than working toward a common security architecture and a single
balanced solution (which doesn't necessarily mean SELinux, mind you, but
certainly could draw from parts of it)?   As with pluggable schedulers,
the LSM approach prevents cross pollination and forces users to make
poor choices.

Some have suggested that security modules are no different than
filesystem implementations, but filesystem implementations at least are
constrained by their need to present a common API and must conform with
and leverage the VFS infrastructure.  Different security modules present
very different interfaces and behaviors from one another and LSM doesn't
provide the same kind of common functionality and well-defined semantics
as the VFS.  The result of merging many wildly different security
modules will be chaos for application developers and users, likely
leading them to ignore everything but the least common denominator.
It almost makes more sense to merge no security modules at all than to
have LSM and many different security modules.

If Smack is mergeable despite likely being nothing more than a strict
subset of SELinux (MAC, label-based, should be easily emulated on top of
SELinux or via fairly simple extension to it to make such emulation
simpler or more optimal), then what isn't mergeable as a separate
security module?

Stephen Smalley
National Security Agency

(Log in to post comments)

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds