From: clemens f. <in...@sp...> - 2003-04-20 17:10:14
|
Pawel Jakub Dawidek <ni...@ga...>: > MAC, as I said, is just API for kernel modules. > There is no such MAC policy that will provide cerb functionality and > there can't be such. You can't elevate privileges in MAC because > there is no place to downgrade it after operation. You can't modify > syscall argument, return values, etc. > > CerbNG is transparent for application. You don't need to rewrite > application to use cerb functionality. to me what this boils down to is that cerber is better for admins. or, where would i prefer MAC? clemens |