Some LSM and SGX remarks before parting of for two weeks
James Morris
jmorris at namei.org
Fri Jul 12 03:12:23 UTC 2019
On Fri, 12 Jul 2019, Jarkko Sakkinen wrote:
> Before going to a two week vacation (sending v21 today), I'll make some
> remarks on SGX and LSM's:
>
> 1. Currently all patch sets proposing LSM changes are missing a problem
> statement and describe a solution to an undescribed problem.
> 2. When speaking of SELinux I haven't seen any draft's on how would
> define a policy module with the new constructs. Does not have to
> be a full policy modules but more like snippets demosntrating that
> "this would work".
> 3. All the SELinux discussion is centered on type based policies.
> Potentially one could isolate enclaves with some UBAC or RBAC
> based model. That could be good first step and might not even
> require LSM changes.
Unless I misunderstand what you mean here, RBAC and UBAC in SELinux still
require LSM hooks, and are typically integrated with Type Enforcement.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list