On Mon, 2014-07-28 at 13:07 +0200, Andy Warner wrote: > > I would refute a definition of MAC that restricted it to the OS kernel. But if you did, then obviously you would definition exclude the possibility that MAC could exist outside the kernel, which makes your original questions seem moot. If you presume any MAC implementation is compromised, in user space or kernel, then obviously you have a problem. I do not think it is valid to assume that because something is in "user space" that it is easily compromised, though I understand that OS-centric viewpoint. In my defense: I am not implying that user space is more easily compromised than the kernel. I was just hoping for a single point of failure when it comes to enforcement. I made a mistake by associating "MAC" with "centralized". although SELinux is a "MAC" system that facilitates centralized governance (but unfortunately not always centralized enforcement), this does not mean that this is also a property of "MAC". _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
