Re: AppArmor FAQ

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 17 Apr 2007, Andi Kleen wrote:

> You nicely show one of the major disadvantages of the label model vs the path 
> model here: it requires modification of a lot of applications. 

This is incorrect.

Normal applications need zero modification under SELinux.

Some applications which manage security may need to be made SELinux-aware, 
although this can often be done with PAM plugins, which is a standard way 
to do this kind of thing in modern Unix & Linux OSs.

In any case, it has never been unusual for security-critical Unix/Linux 
apps to be aware of extra security frameworks, and conditionally utilize 
things like kerberos, tcpwrappers, SSL, skey etc.

Also, there's nothing inherent in pathname labeling vs. object labeling 
which makes one model require modification of applications more than the 
other.  You're taking one implementation of each and extrapolating to the 
general case, without even taking into consideration that the 
modifications only refer to security-management functions.

Also, in terms of implementation, these security schemes are quite 
different in their coverage and features, so it's an apples vs. oranges 
comparison anyway.


Thanks,



- James
-- 
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux