[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RFE: FireKit



Bill McGonigle wrote:
On 07/23/2009 06:17 PM, Matthew Woehlke wrote:
I have to ask... when are we going to see Linux allow network access
based on the checksum of the process that wants to use it? After all,
'doze has  had this ability for years. (Maybe SELinux can provide this
already?)

Is this a checksum of the binary that got launched?  Make sure prelink
can update whatever database of checksums is being kept.  And that
prelink isn't exploitable. :)

True. For us, something based on SELinux contexts, which should be dropped by the kernel on any modification (and allowed to be set by trusted components, say prelink and yum/rpm) is probably as good or better than using checksums. (Which still requires prelink to be secure, but then that's already required, as rogue prelink could be wreaking who-knows-what havoc...)

This can't be a default on MSW, right?  My spam filter's pain would seem
to deny that possibility.

It's not built into MSW if that's what you mean. It's from Tiny, which I used before switching totally to Fedora. By "has this ability" I mean that FW's for MSW exist which have this feature. (Also, Tiny is *not* a firewall for people that don't know what they are doing; using Tiny is, I would say, on par with 'vi /etc/sysconfig/iptables' in terms of user-friendliness. Powerful, really not bad when you know what you are doing, but absolutely not for 'Joe Sixpack'.)

--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
"unsubscribe me plz!!" -- Newbies


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]