| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LRH.2.21.2011211301340.18334@namei.org>
Date: Sat, 21 Nov 2020 13:05:23 +1100 (AEDT)
From: James Morris <jmorris@...ei.org>
To: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
cc: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
casey@...aufler-ca.com, agk@...hat.com, snitzer@...hat.com,
gmazyland@...il.com, paul@...l-moore.com,
tyhicks@...ux.microsoft.com, sashal@...nel.org,
nramas@...ux.microsoft.com, linux-integrity@...r.kernel.org,
selinux@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: Re: [PATCH v6 8/8] selinux: measure state and hash of the policy
using IMA
On Thu, 19 Nov 2020, Tushar Sugandhi wrote:
> an impact on the security guarantees provided by SELinux. Measuring
> such in-memory data structures through IMA subsystem provides a secure
> way for a remote attestation service to know the state of the system
> and also the runtime changes in the state of the system.
I think we need better clarity on the security model here than just "a
secure way...". Secure how and against what threats?
This looks to me like configuration assurance, i.e. you just want to know
that systems have been configured correctly, not to detect a competent
attack. Is that correct?
--
James Morris
<jmorris@...ei.org>
Powered by blists - more mailing lists