Whitelisting only digitally signed binaries
Alan Cox
alan at lxorguk.ukuu.org.uk
Wed Sep 17 19:22:20 UTC 2008
O> Has any work taken place in the Linux community toward building a
> "trusted loader" into Linux. If so, what is the status? If not, why
> not?
You probably want to discuss this on the SELinux lists.
> the update is tied into yum. I realize that an infrastructure would have
> to exist for developers to sign their apps, and store their public
> certificates/keys, but this doesn't seem too far out of reach, after
rpm uses signatures to check packages are authentic and this can be
combined with SELinux labelling and rules to only permit executables
created by rpm to be run.
You still have the scripting problem of course.
Alan
More information about the fedora-list
mailing list