Subject: Re: SE Linux vs SE NetBSD !!
To: Travis H. <solinym@gmail.com>
From: Andrew Reilly <andrew-netbsd@areilly.bpc-users.org>
List: tech-security
Date: 08/29/2006 16:06:42
On Fri, Aug 25, 2006 at 03:56:00PM -0500, Travis H. wrote:
> That's okay, if there's sufficient number of people to write those
> policies.  Similarly, 99% of the Unix user population can't write
> solid kernel code, for example a device driver.  That's okay because
> we can copy bits for zero marginal cost from the people who can for
> the people who can't.

This is getting to the heart of the bit that I don't understand
about this whole area (SE-Foo, etc).  Please pardon the intrusion
of a know-nothing...

How can someone else write my security policy for me?  How can
there be just one such, and application-based?  Isn't the point
of policy that it's up to me?  If it's just a documentation of
the capabilities of the application, then what does it offer over
and above the application itself?

What sort of applications are we talking about?  Presumably
not /bin/sh or /usr/pkg/bin/perl: those have rather a lot of
potential behaviours.

Cheers,

-- 
Andrew