lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 17 Apr 2007 17:48:27 -0400
From:	Karl MacMillan <kmacmill@...hat.com>
To:	casey@...aufler-ca.com
Cc:	Andi Kleen <andi@...stfloor.org>, James Morris <jmorris@...ei.org>,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: AppArmor FAQ

On Tue, 2007-04-17 at 13:19 -0700, Casey Schaufler wrote:
> --- Andi Kleen <andi@...stfloor.org> wrote:
> > > although this can often be done with PAM plugins, which is a standard way 
> > > to do this kind of thing in modern Unix & Linux OSs.
> > 
> > PAM plugins in vi and emacs? Scary idea.
> > 
> > And what do you do if someone decides to use OpenOffice to edit their
> > /etc/resolv.conf? For a lot of people that's the only text editor 
> > they know.
> 
> For SELinux to be effective it has to have a complete policy definition.
> This would prevent the OpenOffice access (unless OpenOffice is in the
> modify_resolv_conf_t domain) above.
> 
> This, by the way, is a fundimental advantage of a path scheme over a
> label scheme in that label schemes require every object be labeled
> (it's Section 3.1.1.3 of the TCSEC if you want to look it up) while a
> path scheme (in the absences of a published requirement) only requires
> those names it cares about. SELinux in the absence of a correct and
> complete policy could be considered dangerous.
> 

This is wildly untrue (as I believe you know Casey). The effectiveness
of SELinux is certainly diminished by not confining all applications,
but that in no way makes it dangerous. It simply means that certain
aspects of the security are no longer guaranteed by the policy but
instead rely on application correctness. SELinux still offers useful
protections against a variety security threats in a targeted
configuration.

This is in contrast to a security mechanism that is path based and
doesn't control all accesses which can make _no_ guarantees about any
security goals. 

Karl

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ