| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Microsoft prepares security assault on Linux On Wed, 12 Nov 2003 07:32:33 PST, "Edward W. Ray" <support@...cman.com> said: > tools and ideas. I finally bit the bullet a few months a go and hardened my > kernel with SELinux. With the exception of the NSA having access, I believe Actually, no. It doesn't give the NSA squat. The entire kernel security module stuff in the 2.6 (and 2.4 backport) kernels is a *restrictive* set of exits. This means that they can *deny* an access that would otherwise (due to file permissions, etc) be permitted. They are not *permissive* - in other words, you *cant* write an LSM that says "go ahead and bypass the file permissions". And therefore, SELinux is similarly constrained. And it's open source, so you can examine it and convince yourself of it. A hint - the quick way to prove it's restrictive is to simply audit the set of hooks in the main kernel code to show they're all restrictive, and then audit the SELinux modules to make sure they don't do backdoor modification of anything they're not supposed to (yes, doing something like poking a dentry with the right values at the right time would cause problems). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031112/2ed003d2/attachment.bin
Powered by blists - more mailing lists