On Thu, 2007-06-21 at 23:17 +0200, Lars Marowsky-Bree wrote: > On 2007-06-21T16:59:54, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > Or can access the data under a different path to which their profile > > does give them access, whether in its final destination or in some > > temporary file processed along the way. > > Well, yes. That is intentional. > > Your point is? It may very well be unintentional access, especially when taking into account wildcards in profiles and user-writable directories. > > The emphasis on never modifying applications for security in AA likewise > > has an adverse impact here, as you will ultimately have to deal with > > application mediation of access to their own objects and operations not > > directly visible to the kernel (as we have already done in SELinux for > > D-BUS and others and are doing for X). Otherwise, your "protection" of > > desktop applications is easily subverted. > > That is an interesting argument, but not what we're discussing here. > We're arguing filesystem access mediation. IOW, anything that AA cannot protect against is "out of scope". An easy escape from any criticism. > > Um, no. It might not be able to directly open files via that path, but > > showing that it can never read or write your mail is a rather different > > matter. > > Yes. Your use case is different than mine. My use case is being able to protect data reliably. Yours? -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html