|
Two further questions: 1. Does SELinux provide any countermeasure against buffer overflows attacks? 2. I read about the possibility of keeping processes from forking. Wouldn't you consider this as a protection from DoS attacks? > Date: Fri, 14 Aug 2009 21:28:57 +1000 > From: jmorris@xxxxxxxxx > To: stecarucci@xxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > Subject: Re: SElinux protection > > On Fri, 14 Aug 2009, Stefano Carucci wrote: > > > > > Hello all. > > > > I would like to pose some questions on the type of attacks that SELinux offers a protection from. > > > > In particular: > > 1. What are the type of attacks that are inhibited? > > The aim for the general case is to contain software vulnerabilities in > userland code. Note that in commonly shipped general purpose policies, > local login users are not confined by default; the emphasis is on locking > down network facing services. > > > 2. What are those that are not, because not explicitly designed for, and may still affect the system? > > As mentioned, local login users are generally not confined by SELinux > policy in Fedora-based systems, although this is a matter of policy > design; it's not inherent to SELinux itself. There are some examples of > confining local users, such as Kiosk Mode (install the xguest package), > and work in this area generally is expected to continue. > > SELinux operates at the kernel level, so vulnerabilities in the kernel > itself may reduce or disable the protection of SELinux. Other mechanisms > are required to protect the kernel. > > > 3. Is there any countermeasure against DoS attacks? > > No. > > A lot of information on SELinux is available here: > http://selinuxproject.org/page/User_Resources > > This is a very brief overview: > http://www.slideshare.net/jamesmorris/lf-japan-08-talk > > > -- > James Morris > <jmorris@xxxxxxxxx> Dove sono i tuoi amici? Aggiungili a Messenger. |
