On Mon, 2014-07-28 at 13:07 +0200, Andy Warner wrote: > > >Thank you. I should rephrase "if one defines" to "when one defines" > > I would refute a definition of MAC that restricted it to the OS kernel. But if you did, then obviously you would definition exclude the possibility that MAC could exist outside the kernel, which makes your original questions seem moot. If you presume any MAC implementation is compromised, in user space or kernel, then obviously you have a problem. I do not think it is valid to assume that because something is in "user space" that it is easily compromised, though I understand that OS-centric viewpoint. Thank you (and Joshua) I think i got it now. I was not so much referring to the kernel itself for the sake of the kernel but it just happens to be the core. I suppose the take-away for me is: SELinux is by definition centralized governance, but not centralized enforcement. (the latter in part due to practical limitations) Better this than nothing _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
