On Sun, Mar 23, 2008 at 2:25 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > > --- cinthya aranguren <cinthya.aranguren@xxxxxxxxx> wrote: > > > Hi, > > > > Is there any way to avoid o remove DAC controls ? I'd like to have only one > > security scheme in my system. I mean a pure SElinux system. not DAC + MAC. > > only MAC. > > No. > > Well, not today. > > The LSM, which is the interface that SELinux uses to plug into > the rest of the kernel is explicity designed to allow additional > restrictions but not replacement or override of existing > restrictions. In the early days of LSM both restrictive models, > like what we have today, and authoritiative models, which would > allow replacement of traditional DAC where considered. The > authoritative model was rejected based on how easy it would be > for proprietary modules that had nothing to do with security to > exploit the interface. > > I am currently putting some work into separating the LSM into > a pair of interface sets, one for the privilege model and one > for the additional restrictions. Once in place it could be > possible to create a privilege scheme that reports to the > traditional DAC that everyone has DAC override, and leave it > to SELinux (or whatever restrictive model you might prefer) > to make the only decision. > > That work is not done, nor is there any assurance that it > might be accepted when it is. Since it would result in a > system where the privilege module and the access restriction > module could team up to provide an authoritative model > it is within reason that the arguments that blocked an > authoritative LSM could be raised again with the same result. > Thanks for the reply... Thats means it's imposible to separate DAC from MAC. There is no way to have only one security scheme. > Now I'll ask the 37 cent question: > > Why would you want to do that? > > Just because i'm trying to simplify the security management of a linux instalation. I'd like to use MAC security, but i realize this means still have DAC. I can't get rid of this. I have to admin the DAC burden plus MAC. May be I'm thinking in a oversimplified reality. > > Casey Schaufler > casey@xxxxxxxxxxxxxxxx > Cinthya. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
