On Tue, 2004-09-14 at 04:11, josh baverstock wrote: > I must first admit that I am new to linux, I am not qualified to suggest a > feature, so please consider this a question. > > IF its true that when SELinux is fully enabled the restrictions can cause > some problems when programs do things they are supposed to do but normally > don't, THEN I have an idea. > > What if an intrusion detection system were to inform the SELinux server that > an intrusion is likely happening, which triggers a change from > non-enforcement mode to enforcement mode? > > Would this "raise the shields" method be useful for situations where > enforcement mode just isnt right, or is this more of a fundamental > misunderstanding on my part of how SELinux works...? Switching back and forth between permissive mode and enforcing mode in this manner is not a good idea, as: - there is no SELinux protection at all while in permissive mode (and the IDS trigger to switch to enforcing mode may be processed too late to prevent the attack), - the lack of any enforcement will likely cause your system to migrate into a state of operation while running in permissive mode that will break in spectacular fashion when you are suddenly switched into enforcing mode by some external event, in which case your IDS suddenly becomes a vector for an easy DOS attack. It would be better to instead define a policy that matches your security goals in the first place, even if they are modest, and run enforcing all the time with that policy (e.g. see the targeted policy in FC3/devel). You could also try to implement multiple "levels" of security in a single policy using the runtime policy boolean support, and have your IDS trigger well-defined changes in the policy state by changing one or more policy booleans in response to events. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
