On Friday 24 June 2005 01:08, Paul A Houle <ph18@xxxxxxxxxxx> wrote: > >I have doubts about such play machines except as a learning tool, but if > >you are interested, Russell Coker has a SELinux play machine available > >with information at: > >http://www.coker.com.au/selinux/play.html The aims of the SE Linux play machines are to teach people about SE Linux and to test the policy. Quite a number of improvements have been made to the SE Linux policy (including adding the staff_r and support for easily adding more roles) as a result of this. > Yeah, I thought about this a lot last night, and realized that > even if the SELinux implementation in the kernel was perfect, > everything hangs on the userspace implementation. Are you concerned about crond running a cron job as sysadm_r:sysadm_crond_t instead of user_r:user_crond_t? If so then the risk is smaller than the risk of running a job as UID 0 instead of UID 1000 due to the strict controls on creating crontab files and the checks on the context of the crontab files before running the cron jobs. On a machine running the strict SE Linux policy a bug in sshd, crond, unix_chkpwd, or login could be used to crack a system. On a machine not running SE Linux bugs in those programs could be used even more easily than on a SE Linux system, as well as bugs in any SUID program (of which there are many). > There's a certain > emotional reaction that people get from hearing that you can log in as > 'root' and it's harmless, It demonstrates that SE Linux access controls restrict all operations that a program may perform. It's recommended that you plan on using Unix permissions as another layer of defense, but it has been shown that SE Linux controls everything. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
