Aidan Van Dyk wrote:
> Simlarly, SElinux is going to be used *on top* of any application that's
> out there, to try and enfoce the "no data coming in from a secure input"
> leaves through a "less secure output", irrespective of what app level
> security (and in this case, app-level being the SQL/SCHEMA/row-level)
> does itself...
It is incorrect.
SELinux works as a security server which provides access control decisions
for other subsystems. In this model, the kernel is also considered as one
of the subsystems.
Currently, X-window system has SELinux support because it manages window
objects in userspace, and we can use them as a method to communicate
other processes. (Please imagine copy&paste buffer.)
This slide will help your understand: http://selinux-symposium.org/2007/slides/03-xorg.pdf
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>