On 05/25/2010 08:09 PM, Whit Blauvelt wrote: > > So with selinux, in general any script that selinux would stop from running > due to the script's own extra selinux file tags can be run if Evil Intruder > simply invokes the same script with its shell first - sh or perl or python > or whatever? That counts as security? Through what? The obscurity of this > devious workaround? Similarly, suppose I have a script (/usr/local/bin/example) with permission 0700. Now, if Evil Intruder simply copies the script elsewhere and changes its permissions, he can read and execute the script! Similarly, if I have Firefox running as userA, then userB cannot read its memory. However, if userB runs Firefox, he can read that process' memory! You're being silly. SELinux confines the daemons that the administrator starts so that they don't take actions that aren't allowed by policy. If an attacker gains access to the system with a higher set of privileges than the confined daemon, OF COURSE he can run the daemon with higher privileges. That doesn't negate the value of YOUR ability to DECREASE the privileges available to the daemons that run on your systems. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: CentOS mailing list <centos@xxxxxxxxxx>
- Subject: Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Gordon Messmer <yinyang@xxxxxxxxx>
- Date: Tue, 25 May 2010 22:34:53 -0700
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <20100526030935.GA9021@xxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-3.fc13 Thunderbird/3.0.4
- References:
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Brunner, Brian T.
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Jerry Franz
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Les Mikesell
- Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Jason Pyeron
- Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- From: Whit Blauvelt
- Re: Odd failure of smbd to start from init.d - CentOS 5.4
- Prev by Date: Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- Next by Date: Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- Previous by thread: Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- Next by thread: Re: Odd failure of smbd to start from init.d - CentOS 5.4 - it's that fine SELinux
- Index(es):
 |