Dailydave mailing list archives
Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor?
From: spender () grsecurity net (Brad Spengler)
Date: Tue, 31 Mar 2009 21:03:50 -0400
MLS basically adds in the Bell-LaPadula model, so that Secret programs produce Secret data, and can't read Top Secret data.
1) The complexity of policy is directly related to how fine-grained you want your access control to be.
I'm a bit surprised about seeing so many people being snarky about such a powerful security technology. I guess I'll just have to chalk it up to cynicism about any new protective technologies; it's cool to be dismissive and aloof. If you can find major areas it doesn't cover, you can call it ineffective.
It is cool to be dismissive and aloof about "new" (9 year old) technologies. Otherwise you're just the SELinux version of the "year of Linux on the desktop!" guy. Regarding ineffectiveness (and specifically in regards to "proofs" and words such as "can't" and complexity/usability trade-offs) I won't repeat myself, since everything that needed to be said or demonstrated was done 2 years ago: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html They say a picture is worth a thousand words. A little bird gave me this: http://grsecurity.net/~spender/mac_security_sesamestreet.jpg -Brad
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? Brad Spengler (Apr 01)
- Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor? Joanna Rutkowska (Apr 01)