Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750696AbXA2PXp (ORCPT ); Mon, 29 Jan 2007 10:23:45 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751959AbXA2PXp (ORCPT ); Mon, 29 Jan 2007 10:23:45 -0500 Received: from mail7.sea5.speakeasy.net ([69.17.117.9]:42421 "EHLO mail7.sea5.speakeasy.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750696AbXA2PXo (ORCPT ); Mon, 29 Jan 2007 10:23:44 -0500 Date: Mon, 29 Jan 2007 10:23:41 -0500 (EST) From: James Morris X-X-Sender: jmorris@d.namei To: Stephen Smalley cc: "Eric W. Biederman" , Andrew Morton , Ingo Molnar , tglx@linutronix.de, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, Eric Paris Subject: Re: [PATCH] sysctl selinux: Don't look at table->de In-Reply-To: <1170075866.8720.15.camel@moss-spartans.epoch.ncsc.mil> Message-ID: References: <200701280106.l0S16CG3019873@shell0.pdx.osdl.net> <20070127172410.2b041952.akpm@osdl.org> <1169972718.17469.164.camel@localhost.localdomain> <20070128003549.2ca38dc8.akpm@osdl.org> <20070128093358.GA2071@elte.hu> <20070128095712.GA6485@elte.hu> <20070128100627.GA8416@elte.hu> <20070128104548.a835d859.akpm@osdl.org> <1170075866.8720.15.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1084 Lines: 27 On Mon, 29 Jan 2007, Stephen Smalley wrote: > NAK. Mapping all sysctls to a single security label prevents any kind > of fine-grained security on sysctls, and current policies already make > use of the current distinctions to limit access to particular sets of > sysctls to particular processes. As is, I'd expect breakage of current > systems running SELinux from this patch, because (confined) processes > that formerly only required access to specific sysctl labels will > suddenly run into denials on the generic fallback label. Agreed, 100% NACK. Please don't just simply remove long-researched & analyzed MAC security which has been in the kernel for years, which is being used in the field for high assurance systems, because you neglected to consider it during a code cleanup. - James -- James Morris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/