Hello.
Kyle Moffett wrote:
> Part of the reason that Fedora has a large quantity of that
> restorecon and restorecond crap is that there is a certain amount of
> broken binary software needing executable stack/heap (such as
> flashplayer), programs without comprehensive or complete policies
2007/5/27, Kyle Moffett <[EMAIL PROTECTED]>:
On May 26, 2007, at 19:08:56, Toshiharu Harada wrote:
> 2007/5/27, James Morris <[EMAIL PROTECTED]>:
>> On Sat, 26 May 2007, Kyle Moffett wrote:
>>> AppArmor). On the other hand, if you actually want to protect
>>> the _data_, then tagging the _name_
>> On the other hand, if you actually want to protect the _data_, then
tagging the _name_ is flawed; tag the *DATA* instead.
Would it make sense to label the data (resource) with a list of paths
(names) that can be used to access it?
Therefore the data would be protected against being accesse
Hi all,
this is the new release of UidBind LSM:
http://projects.unbit.it/uidbind/
This new version adds a new configfs item, named 'comm'
If 'comm' is defined only the process with name == comm
can call the bind() function
(see the example on the website)
A patch for vanilla 2.6.21 is avai
CC trimmed to remove a few poor overloaded inboxes from this tangent.
On May 27, 2007, at 04:34:10, Cliffe wrote:
Kyle wrote:
On the other hand, if you actually want to protect the _data_,
then tagging the _name_ is flawed; tag the *DATA* instead.
Would it make sense to label the data (resou
On May 27, 2007, at 03:25:27, Toshiharu Harada wrote:
2007/5/27, Kyle Moffett <[EMAIL PROTECTED]>:
On May 26, 2007, at 19:08:56, Toshiharu Harada wrote:
2007/5/27, James Morris <[EMAIL PROTECTED]>:
On Sat, 26 May 2007, Kyle Moffett wrote:
AppArmor). On the other hand, if you actually want to
On May 27, 2007, at 03:13:11, Tetsuo Handa wrote:
Kyle Moffett wrote:
Part of the reason that Fedora has a large quantity of that
restorecon and restorecond crap is that there is a certain amount
of broken binary software needing executable stack/heap (such as
flashplayer), programs withou
Hello.
So, this protection is CPU dependent
and LSM provides hooks for checking PROT_READ,PROT_EXEC,PROT_WRITE flags
and SELinux utilizes the hooks provided by LSM.
Thank you for your explanation.
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a
--- Cliffe <[EMAIL PROTECTED]> wrote:
> >> On the other hand, if you actually want to protect the _data_, then
> tagging the _name_ is flawed; tag the *DATA* instead.
>
> Would it make sense to label the data (resource) with a list of paths
> (names) that can be used to access it?
Program Ac