Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Serge E. Hallyn wrote:
> > > Does a process get different mount trees by just calling clone() or
> > > unshare()?
> > > My understanding is that clone() or unshare() disables propergation of
> > > mount tree changes when somebody calls mount(
--- [EMAIL PROTECTED] wrote:
> I'm pretty sure that most of the security community agrees on what "correct"
> means - the disagreement is in the most cost-effective way to *create* one.
Struth. (I'm practicing my Australian, it's gotten rusty)
I say that the the only rational way to create a po
Hello.
Serge E. Hallyn wrote:
> > Does a process get different mount trees by just calling clone() or
> > unshare()?
> > My understanding is that clone() or unshare() disables propergation of
> > mount tree changes when somebody calls mount() or umount() or pivot_root().
>
> Yes, with further pr
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Serge E. Hallyn wrote:
> > > > > * namespace manipulation. (i.e. mount()/umount()/pivot_root())
> > > >
> > > > do you track mounts namespace cloning?
> > > >
> > > Yes. TOMOYO can recognize mount operation with the following flags.
> > >
On Sun, 30 Dec 2007 14:29:50 +0900, Tetsuo Handa said:
> Use of "learning mode" is independent from "correct policy".
My point *exactly*.
> The "learning mode" merely takes your duty of appending permissions to policy.
> We can develop and share procedures for how to exercise infrequently used c
Hello.
[EMAIL PROTECTED] wrote:
> Please make a *big* notation someplace that "learning mode" is quite likely to
> *not* produce a totally correct policy. In particular, it won't build rules
> for
> infrequently used code paths (such as error handling) unless you find a way to
> exercise those p
On Fri 2007-12-28 12:23:51, [EMAIL PROTECTED] wrote:
> On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
>
> > You can run your system with only policy collected by learning mode.
> > Thus, you basically don't need manual intervention.
> > But since there are randomly named files (i.e. tempor
Hello.
Serge E. Hallyn wrote:
> > > > * namespace manipulation. (i.e. mount()/umount()/pivot_root())
> > >
> > > do you track mounts namespace cloning?
> > >
> > Yes. TOMOYO can recognize mount operation with the following flags.
> >
> > --bind --move --remount
> > --make-unbindable --mak
On Fri, 28 Dec 2007 23:32:09 +0900, Tetsuo Handa said:
> You can run your system with only policy collected by learning mode.
> Thus, you basically don't need manual intervention.
> But since there are randomly named files (i.e. temporary files),
> you pay a little time to modify policy.
>
> The
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
>
> Serge E. Hallyn wrote:
> > Auto-learning in itself doesn't seem novel, but so you're saying it's
> > novel in ust how integrated it is - no mnual intervention necessary?
>
> You can run your system with only policy collected by learning mo
Hello.
Serge E. Hallyn wrote:
> Auto-learning in itself doesn't seem novel, but so you're saying it's
> novel in ust how integrated it is - no mnual intervention necessary?
You can run your system with only policy collected by learning mode.
Thus, you basically don't need manual intervention.
Bu
Quoting Tetsuo Handa ([EMAIL PROTECTED]):
> Hello.
>
> Thank you for feedback.
>
> Serge E. Hallyn wrote:
> > > TOMOYO Linux is a DIY tool for understanding and protecting your system.
> > > TOMOYO Linux policy definitions are absolutely readable to Linux users,
> > > and
> > > TOMOYO Linux supp
Hello.
Thank you for feedback.
Serge E. Hallyn wrote:
> > TOMOYO Linux is a DIY tool for understanding and protecting your system.
> > TOMOYO Linux policy definitions are absolutely readable to Linux users, and
> > TOMOYO Linux supports unique policy learning mechanism which automatically
>
> Ar
oting can be done by users.
> We put some TOMOYO Linux policy examples on our web site.
>
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/etch/domain_policy.conf?v=policy-sample
>
> 2. TOMOYO Linux Security Goal
This section seems to me to be the most important one, and could
/domain_policy.conf?v=policy-sample
2. TOMOYO Linux Security Goal
The TOMOYO Linux's security goal is to provide "MAC that covers practical
requirements for most users and keeps usable for most administrators".
TOMOYO Linux is not a tool for security professional but for average users
and adm
15 matches
Mail list logo
