Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jun 09, 2007, at 01:18:40, david@xxxxxxx wrote:
SELinux is like a default allow IPS system, you have to describe EVERYTHING to the system so that it knows what to allow and what to stop.

WRONG. You clearly don't understand SELinux at all. Try booting in enforcing mode with an empty policy file (well, not quite empty, there are a few mandatory labels you have to create before it's a valid policy file). /sbin/init will load the initial policy, attempt to re-exec() itself... and promptly grind to a halt. End-of-story.

Typical "targetted" policies leave all user logins as unrestricted, adding security for daemons but not getting in the way of users who would otherwise turn SELinux off. On the other hand, a targeted policy has a "trusted" type for user logins which is explicitly allowed access to everything.

That said, if you actually want your system to *work* with any default-deny policy then you have to describe EVERYTHING anyways. How exactly do you expect AppArmor to "work" if you don't allow users to run "/bin/passwd", for example.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux