| 1 |
On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote: |
| 2 |
> >> i read in slashdot that there is a question mark over SELinux because it came |
| 3 |
> >> from the NSA [4] but this is nonsense, as it is a means of securing processes |
| 4 |
> >> not network connections. i find it difficult to believe that a backdoor in a |
| 5 |
> >> locked cupboard in your house can somehow give access through the front door. |
| 6 |
> > This point you get wrong. SELinux implement the LSM API (in fact the LSM API |
| 7 |
> > was tailored to SELinux needs). It has hooks in nearly everything |
| 8 |
> > (file/directory access, process access and also sockets). One of the biggest |
| 9 |
> > concerns at the time of creation of the LSM API was rootkits hooking that |
| 10 |
> > functions. It's definitively a thread. I'm not saying that SELinux contains |
| 11 |
> > a backdoor (I for myself would have hidden it in the LSM part, not in SELinux |
| 12 |
> > because that would enable me to use it even if other LSMs are used). If you |
| 13 |
> > google for "underhanded C contest" you'll see that it's possible to hide |
| 14 |
> > malicious behaviour in plain sight. And if the kernel is compromised all other |
| 15 |
> > defenses mean nothing. (As I said, I don't want to spread fearbut that is |
| 16 |
> > something to consider imho). |
| 17 |
> Interesting, I didn't realise LSM provisioned hooks for SELinux - |
| 18 |
> thought it it was more modular (and less 'shoehorned') than that. |
| 19 |
> I need to go read about that some more now |
| 20 |
|
| 21 |
|
| 22 |
You can start here: |
| 23 |
|
| 24 |
http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf |
| 25 |
|
| 26 |
for a general overview (page 64ff has a list of the hooks). |
| 27 |
Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf and |
| 28 |
http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may be |
| 29 |
of interest (though both are quite old). |
| 30 |
|
| 31 |
WKR |
| 32 |
Hinnerk |
Archives