1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On Saturday 22 March 2003 08:49, Joshua Brindle wrote: |
5 |
> While we are pretty much set to use selinux for our MAC implementation we |
6 |
> still need a lighter weight, less intrusive ACL implementation. |
7 |
|
8 |
Indeed. Unfortunately, I haven't got enough experience with selinux to say |
9 |
how intrusive and hard it is to use, so my statements here might be |
10 |
invalid. After some experience with systrace, I've found it very stable and |
11 |
easy to use (the stability point might be invalid, as I've only used it on |
12 |
OpenBSD). Bottom line: It's a simple consept that works, and I like it. |
13 |
|
14 |
Still, I don't think it will be very good for system wide operation through |
15 |
wrappers and such. Wrappers are dirty, and shouldn't (IMO) be used or |
16 |
supported in a large extent by a major Linux distribution. A nicer solution |
17 |
would be to either ask someone central in systrace development (Niels or |
18 |
Marius, for instance) how hard it would be to enforce systrace on a |
19 |
system-wide basis natively in the kernel (and if they're willing to pursue |
20 |
such an idea... there might be a valid reason why they designed it this way |
21 |
in the first place). |
22 |
|
23 |
However, as Nate demontrates, systrace works quite well when invoked through |
24 |
rc scripts. IMO, it would be very nice to provide default ACLs and a |
25 |
possibility to enforce systrace on daemons started through the rc scripts. |
26 |
|
27 |
I do agree that selinux should be the main concern for developers in the |
28 |
startup phase, but setting up a framework for systrace in the rc scripts |
29 |
shouldn't be too demanding, and could probably be done without losing more |
30 |
than a couple of days worth of selinux work. Some people (including myself) |
31 |
would appreciate something lighter than selinux mostly for daemons. Light |
32 |
paranoia and security awareness vs. full paranoia, kind of :) |
33 |
|
34 |
Regards, |
35 |
|
36 |
- -- |
37 |
Joachim Blaabjerg |
38 |
Gentoo Linux Security Developer |
39 |
GPG key @ http://cvs.gentoo.org/~styx |
40 |
-----BEGIN PGP SIGNATURE----- |
41 |
Version: GnuPG v1.2.1 (GNU/Linux) |
42 |
|
43 |
iD8DBQE+fiU3FJKdDpq6hFsRAuZSAJ0aKyN72Q4JGi1cX6+NJ3uCNABYyQCghlsu |
44 |
bfz+cMlX4fc50sNW8aGBLss= |
45 |
=1nDh |
46 |
-----END PGP SIGNATURE----- |
47 |
|
48 |
|
49 |
-- |
50 |
gentoo-hardened@g.o mailing list |