[RFC PATCH v4 00/12] security: x86/sgx: SGX vs. LSM
Sean Christopherson
sean.j.christopherson at intel.com
Wed Jul 10 20:31:04 UTC 2019
On Wed, Jul 10, 2019 at 11:19:30PM +0300, Jarkko Sakkinen wrote:
> On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote:
> > On Tue, Jul 09, 2019 at 07:22:03PM +0300, Jarkko Sakkinen wrote:
> > > On Mon, Jul 08, 2019 at 10:29:30AM -0700, Sean Christopherson wrote:
> > > > On Fri, Jul 05, 2019 at 07:05:49PM +0300, Jarkko Sakkinen wrote:
> > > > > On Wed, Jun 19, 2019 at 03:23:49PM -0700, Sean Christopherson wrote:
> > > > >
> > > > > I still don't get why we need this whole mess and do not simply admit
> > > > > that there are two distinct roles:
> > > > >
> > > > > 1. Creator
> > > > > 2. User
> > > >
> > > > Because SELinux has existing concepts of EXECMEM and EXECMOD.
> > >
> > > What is the official documentation for those? I've only found some
> > > explanations from discussions and some RHEL sysadmin guides.
> >
> > No clue. My knowledge was gleaned from the code and from Stephen's
> > feedback.
>
> OK, thanks for elaboration. Got nailed some details I was missing :-)
>
> Anyway, to accompany your code changes I'm eager to document this not
> least because it is a good peer test that this all make sense (you
> cannot "unit test" a security model so that is the next best thing).
>
> Still, we need a documentation reference to reflect the narrative
> for these changes, seriously. It cannot be that SELinux is widely
> deployed and it completely lacks documentation for its basic
> objects, can it?
The vast majority of documentation I've found is on *using* SELinux,
e.g. writing policies and whatnot. I haven't found anything on its
internal details, although I admitedly haven't looked all that hard.
More information about the Linux-security-module-archive
mailing list