| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Saturday 22 March 2003 08:49, Joshua Brindle wrote: |
| 5 |
> While we are pretty much set to use selinux for our MAC implementation we |
| 6 |
> still need a lighter weight, less intrusive ACL implementation. |
| 7 |
|
| 8 |
Indeed. Unfortunately, I haven't got enough experience with selinux to say |
| 9 |
how intrusive and hard it is to use, so my statements here might be |
| 10 |
invalid. After some experience with systrace, I've found it very stable and |
| 11 |
easy to use (the stability point might be invalid, as I've only used it on |
| 12 |
OpenBSD). Bottom line: It's a simple consept that works, and I like it. |
| 13 |
|
| 14 |
Still, I don't think it will be very good for system wide operation through |
| 15 |
wrappers and such. Wrappers are dirty, and shouldn't (IMO) be used or |
| 16 |
supported in a large extent by a major Linux distribution. A nicer solution |
| 17 |
would be to either ask someone central in systrace development (Niels or |
| 18 |
Marius, for instance) how hard it would be to enforce systrace on a |
| 19 |
system-wide basis natively in the kernel (and if they're willing to pursue |
| 20 |
such an idea... there might be a valid reason why they designed it this way |
| 21 |
in the first place). |
| 22 |
|
| 23 |
However, as Nate demontrates, systrace works quite well when invoked through |
| 24 |
rc scripts. IMO, it would be very nice to provide default ACLs and a |
| 25 |
possibility to enforce systrace on daemons started through the rc scripts. |
| 26 |
|
| 27 |
I do agree that selinux should be the main concern for developers in the |
| 28 |
startup phase, but setting up a framework for systrace in the rc scripts |
| 29 |
shouldn't be too demanding, and could probably be done without losing more |
| 30 |
than a couple of days worth of selinux work. Some people (including myself) |
| 31 |
would appreciate something lighter than selinux mostly for daemons. Light |
| 32 |
paranoia and security awareness vs. full paranoia, kind of :) |
| 33 |
|
| 34 |
Regards, |
| 35 |
|
| 36 |
- -- |
| 37 |
Joachim Blaabjerg |
| 38 |
Gentoo Linux Security Developer |
| 39 |
GPG key @ http://cvs.gentoo.org/~styx |
| 40 |
-----BEGIN PGP SIGNATURE----- |
| 41 |
Version: GnuPG v1.2.1 (GNU/Linux) |
| 42 |
|
| 43 |
iD8DBQE+fiU3FJKdDpq6hFsRAuZSAJ0aKyN72Q4JGi1cX6+NJ3uCNABYyQCghlsu |
| 44 |
bfz+cMlX4fc50sNW8aGBLss= |
| 45 |
=1nDh |
| 46 |
-----END PGP SIGNATURE----- |
| 47 |
|
| 48 |
|
| 49 |
-- |
| 50 |
gentoo-hardened@g.o mailing list |
Archives