[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities

On 07/29/2009 10:06 AM, Steve Grubb wrote:
> There is also the argument that what we've been teaching people for years is 
> that SE Linux strips away privileges and doesn't grant them. Changing the 
> model would be somewhat confusing.

Just to play the devil's hair-splitting advocate, if the kernel were
enforcing less and SELinux were enforcing more, the SElinux model
wouldn't have changed, 'just' the kernel's.  Certainly there's a good
forty years of expectation about what the kernel will enforce, though
I'm not sure that's important if SELinux is preventing unwanted access.

Thanks for the mailing list links from '07, those made for good reading.

I think the vision of SELinux in Fedora has alot to say about what the
right options are.  Will Fedora ever get to the point where advice to
turn off SELinux is as verboten as suggesting to chmod -R 777 to solve
a problem?  That is, if we can guarantee that SELinux is enforcing, a
whole different set of options is open that don't exist if SELinux is an
optional bolt-on.

Tangentially, has anybody attempted a statistical analysis tool to
gather data from systems running in permissive mode to look for policy
holes, ala smolt?


Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
http://www.bfccomputing.com/    Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle   Page: 603.442.1833
Email, IM, VOIP: bill bfccomputing com
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]