Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft prepares security assault on Linux

From: Valdis.Kletnieks () vt edu
Date: Wed, 12 Nov 2003 13:17:19 -0500
On Wed, 12 Nov 2003 07:32:33 PST, "Edward W. Ray" <support () mmicman com>  said:


tools and ideas.  I finally bit the bullet a few months a go and hardened my
kernel with SELinux.  With the exception of the NSA having access, I believe


Actually, no.  It doesn't give the NSA squat.

The entire kernel security module stuff in the 2.6 (and 2.4 backport) kernels
is a *restrictive* set of exits.  This means that they can *deny* an access
that would otherwise (due to file permissions, etc) be permitted.  They are
not *permissive* - in other words, you *cant* write an LSM that says "go
ahead and bypass the file permissions".

And therefore, SELinux is similarly constrained.  And it's open source, so you
can examine it and convince yourself of it.  A hint - the quick way to prove
it's restrictive is to simply audit the set of hooks in the main kernel code to
show they're all restrictive, and then audit the SELinux modules to make sure
they don't do backdoor modification of anything they're not supposed to (yes,
doing something like poking a dentry with the right values at the right time
would cause problems).

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: