CC trimmed to remove a few poor overloaded inboxes from this tangent.
On May 27, 2007, at 04:34:10, Cliffe wrote:
Kyle wrote:
On the other hand, if you actually want to protect the _data_,
then tagging the _name_ is flawed; tag the *DATA* instead.
Would it make sense to label the data (resource) with a list of
paths (names) that can be used to access it?
Therefore the data would be protected against being accessed via
alternative arbitrary names. This may be a simple label to maintain
and (possibly to) enforce, allowing path based confinement to
protect a resource. This may allow for the benefits of pathname
based confinement while avoiding some of its problems.
The primary problem with that is that "mv somefile otherfile" must
change the labels, which means that every process that issues a rename
() syscall needs to have special handling of labels. The other
problem is that many of the features and capabilities of SELinux get
left by the wayside. On an SELinux system 90% of the programs don't
need to be modified to understand labels, since the policy can define
automatic label transitions. SELinux also allows you to have
conditional label privileges based on boolean variables, something
that cannot be done if the privileges themselves are stored in the
filesystem. Finally, such an approach does not allow you to
differentiate between programs.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
