The secmark "one user" policy

Casey Schaufler casey at schaufler-ca.com
Sun Jun 25 18:05:24 UTC 2017


On 6/25/2017 2:41 AM, James Morris wrote:
> On Fri, 23 Jun 2017, Casey Schaufler wrote:
>
>> On 6/22/2017 8:12 PM, James Morris wrote:
>>> On Thu, 22 Jun 2017, Casey Schaufler wrote:
>>>
>>>> The combination of SELinux, Smack, AppArmor and/or TOMOYO is not
>>>> the goal so much as the test case. MAC was the coolest possible
>>>> technology in 1990. We've implemented it. I don't see anyone doing
>>>> a new MAC implementation. I *do* see security modules that implement
>>>> other security models in the pipeline. Some of these need to maintain
>>>> state, which means using security blobs in the LSM architecture.
>>>> Some of these models will want to use secmarks to implement socket
>>>> based controls.
>>> Where are these LSMs and where are the discussions about their LSM API 
>>> needs? 
>> LandLock, CaitSith, LoadPin (now in), Checmate, HardChroot,
>> PTAGS, SimpleFlow, SafeName, WhiteEgret, shebang, and S.A.R.A.
>> have all been discussed on the LSM list in the past two years.
> Which of these need to use secmarks to implement socket controls?

PTAGS doesn't, but will need to do so to be complete.

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list