so are you suggesting that SELinux would call out to userspace for every
file open to get the label for that file?
just off the top of my head
what would all these kernel->userspace->kernel transitions do to
performance?
would SELinux give userspace the full path to that file?
if so wouldn't it have to implement most of what AA adds to do this?
if not how would userspace figure out what label to hand back without this
info?
how would SELinux figure out the permissions for the userspace Daemon?
how would you change both the rules for labels in the kernel and the
policy for assigning labels in userspace without any race conditions?
yes, you could add all the AA code to SELinux and then say that the result
is implemented in SELinux, you may even save a little bit of code in some
parts of it (but I would argue that you add more code in others, say for
the userpace interface and userspace labeling code), but the result
wouldn't be in the spirit of SELinux.
it may be possible to write something that resembles AA in SELinux policy
(once you solve the problem of how to label newly created files securely),
but it's also possible to write a webserver in COBOL to run out of inetd,
that doesn't mean that it makes any sort of sense to do either one.
on the other hand, it may be a good idea. let's see how people really use
AA once they have it available and the SELinux folks can work on
duplicating the functionality, if they do then the existing AA interface
could be phased out over time, or the internal implementation could
change. but arguing that SELinux _may_ be able to do the job of AA
_someday_ should not prevent AA from being included today (especially when
so many of the SELinux developers are so opposed to the very concept of
AA, which doesn't indicate that they are about to rush out and implement
the pieces needed to make it work)
David Lang
-
