lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Sep 2013 11:07:04 -0700
From: Tracy Reed <treed@...raviolet.org>
To: Steve Wray <stevedwray@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Internet has vuln.

On Wed, Sep 11, 2013 at 05:57:55PM PDT, Steve Wray spake thusly:
> In some cases it could be quite difficult to disengage from NSA-influenced
> projects, eg selinux. So far as I can tell this is pretty much everywhere
> now. Redhat embraced it ages ago, its been integrated in the kernel since
> 2.6, so how do we opt out of selinux?

Now you are throwing the baby out with the bathwater. SELinux is FOSS and very
auditable. 

> Are instructions like "you just need to edit the kernel boot line, usually
> in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the
> kernel line, add selinux=0 at the end." just laughable? The code is in the
> kernel therefore the kernel is (potentially) compromised, right?

Sure, potentially compromised by pretty much anyone in the world since anyone
can contribute to it. But all of the contributions happen out in the open so
the code can be reviewed for trickery. 

> Are there any kernels available after 2.6 with no selinux? How easy or
> difficult would it be to strip it out? Hardware devices that are running
> Linux kernels, do they have the selinux code in them?

There would be no point in doing so.

> I'm pretty sure that a lot of people are going to throw their hands up in
> despair at this kind of thing and say "but its open source, its been
> verified and checked by people around the world, surely it can be trusted."

Despair? No. More like relief.

-- 
Tracy Reed, RHCE     Digital signature attached for your safety.
Copilotco            PCI/HIPAA/SOX Compliant Secure Hosting
866-MY-COPILOT x101  http://copilotco.com

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ