| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <453FA220.3090001@wolfmountaingroup.com> Date: Wed, 25 Oct 2006 11:42:56 -0600 From: "Jeff V. Merkey" <jmerkey@...fmountaingroup.com> To: David Howells <dhowells@...hat.com> CC: Nate Diller <nate.diller@...il.com>, sds@...ho.nsa.gov, jmorris@...ei.org, chrisw@...s-sol.org, selinux@...ho.nsa.gov, linux-kernel@...r.kernel.org, aviro@...hat.com, Christoph Hellwig <hch@...radead.org> Subject: Re: Security issues with local filesystem caching David Howells wrote: >Jeff V. Merkey <jmerkey@...fmountaingroup.com> wrote: > > > >>SELinux support addresses all of these issues for B1 level security quite >>well with mandatory access controls at the fs layers. In fact, it works so >>well, when enabled you cannot even run apache on top of an FS unless >>configured properly. >> >> > >How? The problem I've got is that the caching code would be creating and >accessing files and directories with the wrong security context - that of the >calling process - and not a context suitable for sharing things in the cache >whilst protecting them from userspace as best we can. > > Have it access them as 0.0 (root) when you change the fsuid, etc. and I think this would satisfy security concerns. I agree that it sounds like someone needs to instrument MAC layers with this subsystem. Jeff >David > > > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists