| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Sep 2013 08:57:55 +0800
From: Steve Wray <stevedwray@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Internet has vuln.
I'm wondering how much of the industry/community is going to be in denial.
In some cases it could be quite difficult to disengage from NSA-influenced
projects, eg selinux. So far as I can tell this is pretty much everywhere
now. Redhat embraced it ages ago, its been integrated in the kernel since
2.6, so how do we opt out of selinux?
Are instructions like "you just need to edit the kernel boot line, usually
in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the
kernel line, add selinux=0 at the end." just laughable? The code is in the
kernel therefore the kernel is (potentially) compromised, right?
Are there any kernels available after 2.6 with no selinux? How easy or
difficult would it be to strip it out? Hardware devices that are running
Linux kernels, do they have the selinux code in them?
I'm pretty sure that a lot of people are going to throw their hands up in
despair at this kind of thing and say "but its open source, its been
verified and checked by people around the world, surely it can be trusted."
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists