Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Tue, 22 Oct 2002 08:16:47 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Tue, 22 Oct 2002 08:16:47 -0400 Received: from sentry.gw.tislabs.com ([192.94.214.100]:10627 "EHLO sentry.gw.tislabs.com") by vger.kernel.org with ESMTP id ; Tue, 22 Oct 2002 08:16:47 -0400 Date: Tue, 22 Oct 2002 08:22:26 -0400 (EDT) From: Stephen Smalley X-X-Sender: To: Crispin Cowan cc: Alan Cox , Greg KH , Christoph Hellwig , Linus Torvalds , Linux Kernel Mailing List , Subject: Re: [PATCH] remove sys_security In-Reply-To: <3DB46DD2.8030007@wirex.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1457 Lines: 34 On Mon, 21 Oct 2002, Crispin Cowan wrote: > Therefore, the sys_security syscall has been removed. LSM-aware > applications that want to talk to security modules can do so through a > file system interface. This will work for WireX, and Smalley says it > will work for SELinux. I hope it will work for others. Actually, with regard to using a pseudo filesystem interface, I said that we could investigate it, but I have doubts about cleanly supporting the extended forms of existing calls (e.g. execve_secure, mkdir_secure, msgrcv_secure, recvmsg_secure, etc) using such an interface. I raised the same issue when sys_security was originally discussed on the lsm list long ago. SELinux extends the POSIX API to incorporate security (specifically flexible mandatory access control) as a first class notion. However, I understand Christoph's objection to sys_security and am not trying to revive that debate. We can hopefully have a dialogue about the SELinux API with the kernel developers at a later time and come to some consensus on a set of specific system calls that can be added to the kernel to support equivalent functionality to the SELinux API. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/