Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching

On Tuesday 15 May 2007 11:20, Pavel Machek wrote:
Hi!

Pathname matching, transition table loading, profile loading and
manipulation.

So we get small interpretter of state machines, and reason we need is
is 'apparmor is misdesigned and works with paths when it should have
worked with handles'.

I assume you mean labels instead of handles.

AppArmor's design is around paths not labels, and independent of whether or
not you like AppArmor, this design leads to a useful security model distinct
from the SELinux security model (which is useful in its own ways). The
differences between those models cannot be argued away, neither is a subset
of the other, and neither is a misdesign. I would be thankful if you could
stop spreading this lie.

If you solve the 'new file problem', aa becomes subset of selinux.
And I'm pretty sure patch will be nicer than this.

You are quite mistaken. SELinux turns pathnames into labels when it initially
labels all files (when a policy is rolled out), whereas AppArmor computes
the "label" of each file when a file is opened. The two models start to
diverge as soon as files are renamed: in SELinux, labels stick with the
files. In AppArmor, "labels" stick with the names.

So what you advocate for is a hybrid between the SELinux and the AppArmor
model, not a superset.

It could be that the SELinux folks will solve the issues they are having with
new files using something better than restorecond in the future, perhaps even
an in-kernel mechanism (although I somewhat doubt it). But then again, their
basic model makes sense even without any live file relabeling, and so that's
probably not very high up on the priority list.

Andreas
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Relevant Pages