[OT][Practices] The Case for RBAC/MAC -- SELinux is like NetFilter (please read)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sat, 2005-11-19 at 06:50, Bryan J. Smith wrote:
> I keep hearing about alleged "bugs" and "holes" and possible "exploits"
> for SELinux.  Please, _please_ understand that SELinux is like
> NetFilter, a supervisory kernel subsystem that _only_ takes _away_
> access (does _not_ grant more).

That's what it is supposed to do.  We are talking about bugs and
unexpected behavior here.  Are you claiming that a bug in
kernel code can't have security implications?

> Now no more "SELinux will open up more holes" non-sense!  In the
> absolute worst case, you write an incorrect SELinux rule, just like you
> might accidentally write an incorrect IPTables rule.  In _either_ case
> you do _not_ get "more holes" than if you had SELinux off, just like you
> do _not_ get "more holes" if you had _no_ IPTables rules.  ;->

No, the worst case would be more like the bug affecting setuid
handling fixed in kernel 2.2.16.  How many years did it take
to find that one? 

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux