Full Disclosure mailing list archives
Re: Microsoft prepares security assault on Linux
From: Valdis.Kletnieks () vt edu
Date: Wed, 12 Nov 2003 13:17:19 -0500
On Wed, 12 Nov 2003 07:32:33 PST, "Edward W. Ray" <support () mmicman com> said:
tools and ideas. I finally bit the bullet a few months a go and hardened my kernel with SELinux. With the exception of the NSA having access, I believe
Actually, no. It doesn't give the NSA squat. The entire kernel security module stuff in the 2.6 (and 2.4 backport) kernels is a *restrictive* set of exits. This means that they can *deny* an access that would otherwise (due to file permissions, etc) be permitted. They are not *permissive* - in other words, you *cant* write an LSM that says "go ahead and bypass the file permissions". And therefore, SELinux is similarly constrained. And it's open source, so you can examine it and convince yourself of it. A hint - the quick way to prove it's restrictive is to simply audit the set of hooks in the main kernel code to show they're all restrictive, and then audit the SELinux modules to make sure they don't do backdoor modification of anything they're not supposed to (yes, doing something like poking a dentry with the right values at the right time would cause problems).
Attachment:
_bin
Description:
Current thread:
- Microsoft prepares security assault on Linux Helmut Hauser (Nov 12)
- RE: Microsoft prepares security assault on Linux Edward W. Ray (Nov 12)
- Re: Microsoft prepares security assault on Linux Valdis . Kletnieks (Nov 12)
- Re: Microsoft prepares security assault on Linux Jason Coombs (Nov 12)
- Re: Microsoft prepares security assault on Linux Georgi Guninski (Nov 12)
- Re: Microsoft prepares security assault on Linux Jeremiah Cornelius (Nov 12)
- Re: Microsoft prepares security assault on Linux Gadi Evron (Nov 12)
- [Full-Disclosure] why commcerical software *could* be better [WAS: Re: Microsoft prepares security assault on Linux] Gadi Evron (Nov 12)
- Re: [Full-Disclosure] why commcerical software *could* be better [WAS: Re: Microsoft prepares security assault on Linux] Jeremiah Cornelius (Nov 12)
- Re: [Full-Disclosure] why commcerical software *could* be better [WAS: Re: Microsoft prepares security assault on Linux] vb (Nov 12)
- Re: why commcerical software *could* be better Gadi Evron (Nov 12)
- Re: why commcerical software *could* be better vb (Nov 12)
- clarification - reasons as to why commercial software *could* be better Gadi Evron (Nov 12)
- RE: Microsoft prepares security assault on Linux Edward W. Ray (Nov 12)