On Wed, 12 Nov 2003 07:32:33 PST, "Edward W. Ray" <[EMAIL PROTECTED]> said:
> tools and ideas. I finally bit the bullet a few months a go and hardened my > kernel with SELinux. With the exception of the NSA having access, I believe Actually, no. It doesn't give the NSA squat. The entire kernel security module stuff in the 2.6 (and 2.4 backport) kernels is a *restrictive* set of exits. This means that they can *deny* an access that would otherwise (due to file permissions, etc) be permitted. They are not *permissive* - in other words, you *cant* write an LSM that says "go ahead and bypass the file permissions". And therefore, SELinux is similarly constrained. And it's open source, so you can examine it and convince yourself of it. A hint - the quick way to prove it's restrictive is to simply audit the set of hooks in the main kernel code to show they're all restrictive, and then audit the SELinux modules to make sure they don't do backdoor modification of anything they're not supposed to (yes, doing something like poking a dentry with the right values at the right time would cause problems).
pgp00000.pgp
Description: PGP signature
