[anonsec] BYPASS OR PROTECT
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 5 08:41:43 PDT 2007
On Thu, Apr 05, 2007 at 07:18:07AM -0400, Stephen Kent wrote:
> At 10:47 AM -0500 4/4/07, Nicolas Williams wrote:
> >Another way to look at it is to have system policy determine insertion
> >points into the SPD for app-requested rules -- since the SPD is ordered
> >then the insertion points determine what rules the apps can "punch
> >holes" into. There could be multiple such insertion points,
> >corresponding to multiple local privilege levels.
>
> one could do that, although I worry that this sounds fairly complex,
> especially because it sounds like changes in SPD affect where
> different rules apply.
That's the nature of policies consisting of ordered rulesets.
More information about the ANONSEC
mailing list