[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /sbin/restorecon and hard links



Stephen Smalley wrote:
> BTW, it is important to remember here that targeted policy doesn't try
> to confine users (just specific programs and daemons) and that
> relabeling /etc/passwd or other system files doesn't give the user any
> greater access since he is already unconfined as far as SELinux is
> concerned.

That's true for SELinux policy itself.  However, the linux kernel _does_
confine users, independent of "external [to the kernel]" SELinux policy,
as an unavoidable part of the complete selinux package.  Namely, the
restrictions on execmod and execmem can make life difficult for legitimate
software which uses non-mainstream techniques to achieve higher performance
and/or create a richer debugging environment.  Even in targeted mode,
SELinux has greater-than-zero operational costs for non-targeted software.

-- 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]