• 1


Just found this and my first thought is "This is different to the AppArmor approach how?"

AppArmor restricts based on file paths. To deal with hard links it disallows their use in certain circumstances.

To make SELinux usable for normal people, you have written a daemon that sits around layering AppArmor file-path/hardlink like semantics on top of SELinux in a racey, hacky, inefficient way. I don't mean you write bad code, I just mean that it's a limitation of the approach (we already have way too many daemons sucking up memory for their stacks/heaps/bookkeeping).

Stuff like Flash Player being there is also quite a concern. This system plays nice with 3rd party software? I rather think not ... very worrying indeed. I also don't see why the kernel can't cope with file names if not file paths, so you could say "resolve.conf" in a directory of label etc_t.

  • 1

Log in