Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751354AbZL1CIc (ORCPT ); Sun, 27 Dec 2009 21:08:32 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751141AbZL1CIc (ORCPT ); Sun, 27 Dec 2009 21:08:32 -0500 Received: from lennier.cc.vt.edu ([198.82.162.213]:48972 "EHLO lennier.cc.vt.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751056AbZL1CIb (ORCPT ); Sun, 27 Dec 2009 21:08:31 -0500 X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 To: daw-news@taverner.cs.berkeley.edu (David Wagner) Cc: linux-kernel@vger.kernel.org Subject: Re: A basic question about the security_* hooks In-Reply-To: Your message of "Sun, 27 Dec 2009 20:28:23 GMT." From: Valdis.Kletnieks@vt.edu References: <20091225055034.GA374@us.ibm.com> <20091227031631.GA17629@hallyn.com> <200912271302.JBH64754.JtLMFQVOSOFFHO@I-love.SAKURA.ne.jp> <22669.1261911374@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1261966107_3923P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Sun, 27 Dec 2009 21:08:27 -0500 Message-ID: <16474.1261966107@localhost> X-Mirapoint-Received-SPF: 128.173.34.103 localhost Valdis.Kletnieks@vt.edu 2 pass X-Mirapoint-IP-Reputation: reputation=neutral-1, source=Fixed, refid=n/a, actions=MAILHURDLE SPF TAG X-Junkmail-Info: (45) HELO_LOCALHOST X-Junkmail-Status: score=45/50, host=steiner.cc.vt.edu X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A020205.4B38131C.0162,ss=1,fgs=0, ip=0.0.0.0, so=2009-09-22 00:05:22, dmn=2009-09-10 00:05:08, mode=multiengine X-Junkmail-IWF: false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1938 Lines: 50 --==_Exmh_1261966107_3923P Content-Type: text/plain; charset=us-ascii On Sun, 27 Dec 2009 20:28:23 GMT, David Wagner said: > Read the thread, where you can find the answer *why*. The question has > already been answered. That was the *original* use case for Michael Stone's module. However, in the mail that I was specifically replying to: On Sun, 27 Dec 2009 13:02:54 +0900, Tetsuo Handa said: > I believe TOMOYO can safely coexist with other security modules. > Why TOMOYO must not be used with SELinux or Smack or AppArmor? > What interference are you worrying when enabling TOMOYO with SELinux or Smack > or AppArmor? Tetsuo asked specifically about the issues of composing two MAC implementations, so I answered that issue as opposed to "composing a MAC with a small LSM". I agree that composing a MAC system plus something small should be easier - as far back as April 2002 there was discussion of stacking SELinux and the OWLSM (openwall/grsecurity style patches). And we've *still* not managed to get a solution for that issue (though Serge Hallyn did a yeoman job in trying to get a stacker accepted back in 2004 or so). I wonder if we need to go look at Serge's patch set again. It's getting tiring to revisit the issue every 18 months when somebody wants a small LSM, but can't do it because large MACs have essentially co-opted the interface. --==_Exmh_1261966107_3923P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFLOBMbcC3lWbTT17ARAmLgAJ9ReeHv0FKZF2hyWH+Ny/DqOQZs1QCfUU/+ f//ZHu8RryMdT6FEHlX2avM= =5Ayg -----END PGP SIGNATURE----- --==_Exmh_1261966107_3923P-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/