concerned, AppArmor _is_ meant to replace
SELinux. Not that there is really anything wrong with that, but it's
a little disingenuous to then argue that they're meant to coexist.
Sean
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a m
in general to others. But
from what i can tell, it's the only significant difference between
SELinux and AA.
Depending on the way it was implemented, its conceivable that users could
mix and match native SELinux policy with custom AA policies as they
saw fit.
Sean
-
To unsubscribe from this l
the problems of bouncing
> back out to userspace for file creation and renames it looks like a regex
> in the kernel is a lot safer and more reliable.
There hasn't yet been shown a requirement for a userspace daemon to implement
AA over SeLinux.
Sean
-
To unsubscribe from this list: sen
On Sat, 9 Jun 2007 17:17:57 +0200
Andreas Gruenbacher <[EMAIL PROTECTED]> wrote:
> On Saturday 09 June 2007 10:10, Sean wrote:
> > Clinging to the current AA implementation instead of honestly considering
> > reasonable alternatives does not inspire confidence or teamwork.
&
;
Calling LSM "core" and pretending that SELinux can't do 90% of what you
want doesn't change the facts on the ground. Clinging to the current AA
implementation instead of honestly considering reasonable alternatives
does not inspire confidence or teamwork.
Sean.
-
To unsubscrib
unch of
new stuff into the kernel that could instead be added as a small
extension to what already exists.
Sean
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
infrastructure.
Let's assume that everyone agrees that AA is a good idea. Which parts of it
absolutely can't be implemented in terms of SELinux? SELinux isn't fixed in
stone, it can be altered if necessary to accommodate AA (as in the example
above of becoming default-deny).
Sean.
