User: Password:
|
|
Subscribe / Log in / New account

SMACK meets the One True Security Module

SMACK meets the One True Security Module

Posted Oct 2, 2007 17:36 UTC (Tue) by bronson (subscriber, #4806)
Parent article: SMACK meets the One True Security Module

It seems like the SELinux guys are still looking to userspace tools to bail them out of their usability nightmare. I'm guessing most Linux admins enter iptables commands by hand (or by script), and iptables is *way* simpler than SELinux. The ALSA guys leaned on userspace to bail them out of their complexity nightmare and look at where it got them.

As long as it takes *days* for a good admin to learn and provision a nontrivial SELinux server, SELinux is a non-starter (in my workshop anyway). Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.

I'm excited about SMACK. I hope it gets merged. And I hope SELinux guys start taking learnability and usability seriously.


(Log in to post comments)

SMACK meets the One True Security Module

Posted Oct 2, 2007 20:43 UTC (Tue) by danieldk (subscriber, #27876) [Link]

It depends on what policy you use. For example, the Simplified Policy Description Language is quite easy to grok:

http://seedit.sourceforge.net/

It's policy language looks a lot like AppArmor's, but it does use file contexts underneath.

SMACK meets the One True Security Module

Posted Oct 4, 2007 14:53 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.

So, interestingly, is not *Novell* to blame (rather than SELinux or the casual user) to not have AppArmor designed to use SELinux as LSM? Just a thought...

SMACK meets the One True Security Module

Posted Oct 4, 2007 21:04 UTC (Thu) by nix (subscriber, #2304) [Link]

AppArmor predates SELinux, and does things that SELinux can't do without
insane delays (mass-relabelling of potentially every file in a very deep
subdirectory whenever you rename it springs to mind; even crazier
mass-relabellings of everything on the disk to implement some changes of
policy, unless I miss my guess).

(Equally, AppArmor can't efficiently imitate a TE system --- but nobody's
claiming it can.)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds