[apparmor] unconfined mode and 'file' keyword
John Johansen
john.johansen at canonical.com
Sat May 18 01:45:46 UTC 2013
On 05/17/2013 02:32 PM, John Johansen wrote:
> On 05/17/2013 01:55 PM, Steve Beattie wrote:
>> [Pruning discussion scope a bit...]
>>
<<snip>>
>
>> If that's the case, I'm not entirely convinced there's a whole lot
>> of value of having multiple profiles in unconfined mode in a single
>> namespace, except to serve as early boot placeholders for later
> they serve as boot placeholders and generic labels
>
> I know your not fond of not separating the domain and objects types
> but in the model we have they are unified. The kernel is set up around
> a unified type (selinux) and keeping them separate isn't worth it.
>
To be fair its not just the unified type that leads to this, we can
also blame partial policy replacement and dynamic policy reload each
of which makes it so that we can't easily precalculate a single static
type and would force us to do large relabeling if we did.
The implicit label is very much a domain type and isn't valid in the
implicit case without the rules of the domain.
More information about the AppArmor
mailing list