On Sat, 28 Feb 2004 05:25, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote: > On Fri, 2004-02-27 at 13:19, James Harrison wrote: > > Can we have two kernels - one with SELinux and one without. > > Boot with selinux=0, and the SELinux code is disabled. Also note that the selinux=0 code was written by James Morris not the NSA. ;) On Sat, 28 Feb 2004 05:19, James Harrison <jamesaharrisonuk@xxxxxxxxxxx> wrote: > I read the wonderful news article about SELinux and how the NSA have > inserted their "security" code into Linux, but I cant see any technical > detail. SE Linux implements the "domain type" security model. Every object that can be accessed by a process (dir, file, socket, etc) has a type. Every process has a domain. You have a database of rules specifying which domains can access each type loaded by the kernel. When any access is requested first standard Unix checks are performed (IE UID/GID etc), then after those checks are passed SE Linux checks are performed. If the Unix checks deny an operation then the core SE Linux code will never even see it. There is talk of making changes to this at some future time, however the impression is that the main kernel people don't like such ideas. Also the current operation is good for the time when SE Linux is becoming popular. Lots of people can be expected to stuff up their policy, and with the current setup they can't make things any less secure than a regular Linux system. The domain that a process runs in can be determined by the type of the executable (EG /sbin/init has type init_exec_t and when kernel_t exec's it the domain transitions to init_t). The domain can also be specified by the process calling exec (so that /bin/login and sshd can specify the correct context for a shell). There is a lot more than that, roles, identities, constraints, assertions, and MLS (which we have no immediate plans to put in Fedora). But when you first start using SE Linux you don't have to worry too much about that. On Sat, 28 Feb 2004 02:49, "Mike A. Harris" <mharris@xxxxxxxxxx> wrote: > It's been scrutinized fairly heavily from what I understand. One > of the beautiful things about open source is that anyone can > scrutinize the source, so it is much more likely to have any > security holes found and fixed in it. That's irrespective of > wether they would be planted or accidental of course. I know several people who have read through all the SE Linux kernel code and looked for bugs/trojans/etc. Last time I spoke to them about such issues none of them were willing to publically announce this. Claiming to be good enough at kernel coding to find any back-doors written by experts would be a significant boast. But I think that having a number of people look through the code gives a good degree of assurance, maybe one or two people might miss a bug, but someone would find it. Finally, there are lots of people who are trying to make a career in computer security by finding vulnerabilities. If they could find a bug in SE Linux (either deliberate or accidental) then they would become quite famous very quickly. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
