The secmark "one user" policy
James Morris
jmorris at namei.org
Fri Jun 23 03:02:10 UTC 2017
On Thu, 22 Jun 2017, John Johansen wrote:
> > Trying to stack major LSMs arbitrarily and exposing that to userland is an
> > architectural mess, which is what these kinds of problems are really
> > telling us.
> >
>
> The use case I keep seeing is not exposing multiple LSMs to the user
> space. Its the container where the container wants a different LSM
> than the system is running.
>
> Stacking 2 LSMs in that case and only exposing one to user space isn't
> so unreasonable.
In this case, would they both be labeling LSMs which need to label
packets?
I can imagine having Smack or SELinux as the base LSM and then having
AppArmor in the container, but having Smack and SELinux in that
combination would still not make sense to me.
>
> > How can a user be expected to reason about a system which is running
> > multiple independent MAC security models simultaneously? It's a terrible
> > idea.
> >
>
> At a generic system MAC level I agree, but not all LSMs that need
> state are MACs and in the more limited container case it isn't so
> unreasonable.
Can you provide a concrete example of needing two independent packet
labeling LSMs?
--
James Morris
<jmorris at namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list