[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LSPP Requirement Specifically for Auditing



On Monday 03 October 2005 10:03, Stephen Smalley wrote:
> Have you considered moving the audit generation into a helper program
to
> avoid having to directly make newrole suid (and to avoid having to
> directly allow newrole in policy to access the netlink audit socket)?


Our experiance with helper programs was that they
are not very helpful from an assurance perspective.
Sure, you isolate the priviliged code, but you still
have to demonstrate that the unprivileged program
that invokes it does so correctly. In this case you
still have to trust newrole, even though it isn't
setuid, because it would invoke a helper that is.
Steve's suggestion that he'll use capabilities to
reduce the exposure is very sensible.


------------------------
Casey Schaufler
casey schaufler-ca com
650.906.1780








[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]