On Fri, 12 Jul 2019, Jarkko Sakkinen wrote: > Before going to a two week vacation (sending v21 today), I'll make some > remarks on SGX and LSM's: > > 1. Currently all patch sets proposing LSM changes are missing a problem > statement and describe a solution to an undescribed problem. > 2. When speaking of SELinux I haven't seen any draft's on how would > define a policy module with the new constructs. Does not have to > be a full policy modules but more like snippets demosntrating that > "this would work". > 3. All the SELinux discussion is centered on type based policies. > Potentially one could isolate enclaves with some UBAC or RBAC > based model. That could be good first step and might not even > require LSM changes. Unless I misunderstand what you mean here, RBAC and UBAC in SELinux still require LSM hooks, and are typically integrated with Type Enforcement. -- James Morris <jmorris@xxxxxxxxx>
