Xsecurity [was Re: OpenSSH Re: rawhide report: 20040608 changes]
Havoc Pennington
hp at redhat.com
Wed Jun 9 13:48:37 UTC 2004
On Tue, 2004-06-08 at 11:21, Stephen Smoogen wrote:
> Will the Xsecurity extensions be looked at in the future.
Rather than the old XSECURITY extension we're looking at an
SELinux-style approach that the NSA guys are working on, essentially
changes all the hardcoded XSECURITY checks in the server into callouts
to a configurable policy.
I think this technology has a way to go; the security checks are
frequently at the wrong level of granularity (e.g. a clipboard paste
translates into a whole series of X protocol requests - and the security
checks are at the level of each individual request, with no context to
figure out that we have a paste from app A to app B in format XYZ)
It's like security-checking a stack of documents by chopping it into
quarter-inch squares and trying to pick which ones can go through ;-)
Nonetheless we're thinking about it, and there are some low-hanging
fruit things that can be secured.
Havoc
More information about the fedora-devel-list
mailing list