[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

Russell Coker russell at coker.com.au
Wed Sep 8 09:01:21 UTC 2004


On Sat, 4 Sep 2004 20:54, Ives Steglich <fedora-se-linux at dalini.de> wrote:
> there is a second option (also bios and startup related):
>
> you can put an additional pci-extension-bios to any pci-card which have
> a own pci-extension-bios for setting up its hardware, the chips are
> usaly 64k but not fully used (graficcard, networkcard, ...) and the

Good point.  However one limitation of this is that it won't work so well for 
laptops.

The idea of replacing a BIOS was first suggested to me after a discussion of 
an advertised security product which had some very suspect claims about it's 
performance.  The claim that it could survive a re-install of Windows seemed 
difficult to believe and a modified BIOS was the only suggestion of a 
possible way of doing it.

> second problem here, would be getting the code surviving in ram
> the boot-up sequence of the operating system, but i'm sure this won't be
> any problem for some ppl with the necessary skills

That is solvable too.  It would have to decompress the kernel image, modify 
the kernel code in some subtle way (EG making some security check function in 
the kernel be a noop), re-compress the kernel image and then present it to 
the boot loader upon read requests.  It's difficult, but not impossible.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



More information about the fedora-selinux-list mailing list