Weekly Edition
Return to the Security page
| |||||||||||||
Civilizing SELinux
On its face, SELinux offers a number of attractive capabilities. It
enables a Linux system to be partitioned into lots of little realms
("domains" or "types") with fine-grained control over the capabilities of
each realm. For example, the named DNS server can be empowered to bind to the
DNS ports (but no others), write to its log and cache files (but no
others), and read from its configuration files (but from nowhere else). It
can read random numbers, but cannot access any other device files. And so
on. The end result is that, even if named falls to a remote code exploit,
there is very little that exploit can actually do. A vulnerability which,
on a current Linux system, could lead to a full system compromise is
limited to a denial of service problem, or, at worst, the provision of
bogus DNS information.
This promise is worth something. Currently, any sort of compromise of any daemon on the system has a good chance of being escalated to full control of the system itself. SELinux cannot prevent security holes in server processes, but it does have the potential to strictly limit the damage which can be done by exploiting those holes. SELinux could be the mechanism which turns Linux into the most secure widely-used operating system on the planet. The only problem is that getting there could be a challenge, and, along the way, we risk turning Linux into a system we no longer wish to use. Like all good kernel code, SELinux does not, itself, contain a security policy. That policy, instead, is defined by the system administrator and loaded from user space. Defining that policy, however, is not the easiest thing to do. The book SELinux: NSA's Open Source Security Enhanced Linux, just reviewed by LWN, notes that a typical set of policy files contains some 250,000 lines of code. More to the point:
The SELinux source policy is a sophisticated software system. It
includes dozens of object classes, scores of defined permissions,
more than 1,000 type transitions, thousands of object instances,
and tens of thousands of access-vector rules.
As an aside, all of this code is written in a language which, as of this writing, probably has no more than a few dozen expert authors. So a couple of questions come immediately to mind: how is it possible for anybody to truly understand a system's security policy, and how can that policy be shown to be correct? Complexity and obscurity are enemies of security, and SELinux has large amounts of both. There are complications. Installing a new program on a full-blown SELinux system required updating the security policy. There has been talk of a day when applications are routinely shipped with SELinux policy files, just like they currently contain makefiles. But that talk assumes that large numbers of application developers will learn the SELinux policy language well enough to write a secure policy for their code. It assumes that system administrators will understand those files well enough to decide whether they are safe to install. In an SELinux world, malicious policy files may become a required part of any self-respecting trojan horse; vigilance will be required. Perhaps the biggest problem, though, is the assumption that a single policy file will fit into the security policies running on systems worldwide. If everybody ends up with a single, uniform security policy derived from the SELinux sample policy, that assumption might hold. But how can a single security policy make sense for all situations? The sheer difficulty of creating a radically different policy will likely keep experimentation to a minimum, but there will inevitably be pressure for different policies for different situations. In the future, we may see new offshoot distributions which differ mainly in their SELinux policies. Divergent security policies will be good for user choice, and the diversity may be good for the security of the net in general. But they will make it hard to write a portable application policy file. SELinux depends on "labels" applied to almost all files on the system. Those labels define the type(s) of the files, and, thus, who can access them, and in which way. These labels are also a crucial part of the domain system which allows the isolation of specific daemons and utilities. Maintaining the integrity of these labels proves to be a challenge, however. Consider this warning from the SELinux book:
If you use vipw, vi, or some other means to
modify /etc/passwd, /etc/group, or
/etc/shadow, you'll likely remove the security context
labeling [from] the file, which will make the file inaccessible.
Relabeling files is something every SELinux administrator needs to know how to do. The Fedora boot process checks for labeling problems, and, when they are found, it automatically relabels things. Relabeling is a fact of life in the SELinux world. It turns out that the proper labels are stored in the SELinux policy; what's on the files themselves can be thought of as a sort of cached version. In other words, SELinux has imposed a new file permissions scheme which is maintained outside of the kernel. If the files are manipulated by non-aware applications, or by way of a non-SELinux kernel, those permissions will become unsynchronized. Applications installed by the administrator will have labeling problems of their own. The end result is that SELinux could lead to systems which are too complex to administer, which have a single security policy created by the distributor, and which are highly resistant to the installation of software not provided by the distributor - or to changes in general. That is not a world which most of us would like to live in; we should think carefully before we run too quickly in that direction. Of course, that is a worst case scenario, and the Linux community is unlikely to let things get that bad. Some steps have already been taken in the right direction. The Fedora Project's decision to fall back to a "targeted" mode, where SELinux only applies to certain system daemons, is a good start. The targeted mode reduces the complexity of the security policy and makes experimentation easier. Fedora has also introduced "policy booleans" to the mix. These booleans are runtime variables which provide (relatively) high-level control over the system's security policy. Booleans in Fedora Core 3 control whether Apache can run CGI programs or read home directories, whether yellow pages can be used, and more. The booleans point in an important direction. Perhaps part of the real problem with SELinux is that policies must be written in the equivalent of assembly language. Most programmers do not want to worry about individual register assignments, and most system administrators would rather not deal with domain transitions and access vectors. If, in some future day, a system's security policy can be specified with, at most, a few hundred lines of high-level declarations, that policy may just be manageable. If that can be done, SELinux might just be the answer to a lot of our security worries. (See also: this just-released, beta Fedora document which describes what is involved in using SELinux to control Apache). (Log in to post comments)
Civilizing SELinux Posted Nov 18, 2004 3:15 UTC (Thu) by walters (subscriber, #7396) [Link] This is a long article, and a detailed reply is a bit annoying to do in a comment. I'll give it a shot anyways :) So a couple of questions come immediately to mind: how is it possible for anybody to truly understand a system's security policy, and how can that policy be shown to be correct? Complexity and obscurity are enemies of security, and SELinux has large amounts of both. In general, I don't think anyone out there understands everything that goes on in a Linux system, particularly as projects like Fedora drive towards further integration. A very good example is the recent work we did on allowing a user to set the printer driver for CUPS. This involved a hotplug script from HAL which would talk to the user session, which was listening on a D-BUS service. When the user picked a driver, the cups-config-daemon process would run printconf-backend and send SIGHUP to CUPS. I extended the CUPS SELinux policy for this, and it was not particularly easy; I kept being surprised by what was being executed, what files were being changed (e.g. /etc/alchemist/namespace/printconf/local.adl). But rewriting the code was not an option, so SELinux had to be able to adapt to the complexity of the system. The second point I want to make here is that yes, the SELinux example policy is complex, but there exist tools to analyze it. For example, apol from Tresys. Installing a new program on a full-blown SELinux system required updating the security policy. Not necessarily. For example, in the "targeted" policy, only a few select daemons are confined. Any new software you install is unrestricted by SELinux by default. Even in the strict policy, you have the option to mark executables as unconfined_exec_t; this means that when executed, the process will transition to unconfined_t and not be restricted by SELinux. Obviously though, it's better to write policy. There has been talk of a day when applications are routinely shipped with SELinux policy files, just like they currently contain makefiles. I can imagine sample policies being shipped, but there should be no expectation that a security policy can work anywhere: Perhaps the biggest problem, though, is the assumption that a single policy file will fit into the security policies running on systems worldwide. There is absolutely no such assumption. The NSA has made it very clear that the policy distributed on their website is only a sample policy. Distributions use it as a common reference point, but nothing in SELinux requires you to use the sample policy, or your distribution's policy. That all said, I think you would have to have some very strong requirements to deviate very far from the sample policy. It turns out that the proper labels are stored in the SELinux policy; what's on the files themselves can be thought of as a sort of cached version. Sort of. We've discussed this on the SELinux mailing list, and I think the general agreement was that the filesystem labels (xattrs) are not just a cache for the policy file_contexts regexps, but can be legitimately customized. Perhaps part of the real problem with SELinux is that policies must be written in the equivalent of assembly language. This has come up before. It is certainly possible to imagine a more coarse-grained syntax for policy writing. The difficulty I see in creating such a language is twofold; first, it could create a false sense of security. For exaple, if this higher-level language only restricts accesses to files, but allows signals to any other domain, that could be exploited fairly easily. The other issue is making it integrate nicely with the existing language; if you e.g. take the approach of autogenerating type names for files, this would look very ugly for those of us writing in the "low level" language.
Civilizing SELinux Posted Nov 18, 2004 17:52 UTC (Thu) by iabervon (subscriber, #722) [Link] I think that a good basic principle for a desktop system would be relatively simple: everything the user isn't expected to know about is restricted by the distribution's policies; anything the user installs, unless it's "official", is prohibited from mucking with the root-owned portion of the system, but can do anything the user can do; a "fakeroot-rpm" system would be very helpful (so you could install a random rpm, and it would look to you like it was installed, but not be able to affect the function of the system other than for you).
The thing that I'd like to see out of SELinux is the ability to tightly restrict the abilities of plug-ins. Your mail program, when you click on an attachment, would run a viewer for it, but would prohibit the viewer from doing anything other than reading files without side-effects, displaying content in its window, and accepting input in its window. This could allow the system to support the distinction in the user's mind between "looking at" something and "running" it. Each new user would probably try saving from a program out of their email and be unhappy, but the concept that you need to export any program you intend to "use" and shouldn't export anything you want to "look at" would fit user's naive expectations far better than current systems (the confusion would come from user's experiences that computers generally violate these expectations).
Civilizing SELinux Posted Nov 18, 2004 23:33 UTC (Thu) by walters (subscriber, #7396) [Link] Your mail program, when you click on an attachment, would run a viewer for it, but would prohibit the viewer from doing anything other than reading files without side-effects, displaying content in its window, and accepting input in its window. Yep, would be very cool. Requires Security-Enhanced X, something we hope to do for Fedora Core 4.
Civilizing SELinux Posted Nov 26, 2004 4:38 UTC (Fri) by spender (subscriber, #23067) [Link] When can we expect to see Fedora fix their information leaking glibc that makes arbitrary code execution trivial for suid apps?When can we expect to see the Fedora project implement their own quality assurance that would prevent the frequent crop of problems involving marking PT_GNU_STACK on libraries where it is unnecessary, silently removing any NX protection for all processes that load the libraries? When can we expect RedHat developers, when presented with bugs of the above type in their poorly engineered distribution by users of PaX/grsecurity, to fix the mentioned bugs, instead of completely dismissing them without even understanding them?
How about a little less SELinux hype, and a little more time spent on understanding security? It's clear RedHat is more interested in buzzwords and making a mockery of people involved in real security research. The longer you continue your propoganda machine, telling your users that "crypto-signed modules stop rootkits" and "SELinux turns a potential system compromise into WORST CASE modified DNS replies," the more you are lulling them into a false sense of security.
Let's not tell the users about kernel exploits (which are more prevalent now than bugs in suid apps) or how easy it is to execute arbitrary code on a default fedora install, because our image as great pioneers in the field of security (which has amounted to cheap ripoffs of code present 3 years prior to RedHat ever entering the game) is much more important than the security of our users.
I've also wondered why RedHat is so unnecessarily anal on the side of access control to be using SELinux, but so overwhelming lax on the side of stopping exploits in the first place to be using Exec-Shield. This conflict is confusing to me, as it seems the latter is more important.
Immunity has exploits that work *reliably* against Fedora with Exec-Shield. Of course, as Immunity doesn't release exploits, your precious image won't be tainted, which is what you really care about, right? Want to bet that if someone were to send a mail to FD and Bugtraq demanding that Fedora fix their information leaking glibc that they've refused to fix for months now, it would be fixed? Why do you think that is? It's easy to blow off your security problems as long as they hide in your bug tracking system, outside of the view of the general public.
Civilizing SELinux Posted Nov 26, 2004 4:58 UTC (Fri) by bluefoxicy (guest, #25366) [Link] Want to bet that if someone were to send a mail to FD and Bugtraq demanding that Fedora fix their information leaking glibc that they've refused to fix for months now, it would be fixed? Brad, do us all a favor. You're pretty smart, you can map out these things and make a comprehensive report on what's wrong, why it's wrong, and why it needs to be fixed, right? Go do it. I'd really love Linux and hell my favorite distribution to carry the "security torch," and really want to see PaX and GR get the credit they deserve. SELinux and RSBAC are good too though; but I personally despise the hype SE gets, not because anything else is better or worse, but because a lot of people get just that-- hype. When you focus on ONE solution, you come up with a crowd that thinks it's a magic bullet that will mitigate everything else, sometimes even including patches. We went through the same kind of thing with firewalls. Norton Personal Firewall, Zone Alarm, Black Ice, all things people thought "would stop [crackers]" all by themselves. I wasn't around to see if they did the same thing with Antivirus software, though I imagine this "magic program that removes [cracker] programs will fix everything!!!" Most people still blame 100% of their problems on viruses. You need a diverse range of solutions: PaX, MAC, GRSec's kernel enhancements, SSP, firewalling, augment ClamAV with heuristics, use application proxy firewalls and firefox/thunderbird plug-ins to scan for malware in web pages and e-mail, etc. I'm not sure what my exact point is WRT this topic, but there's stuff relavent here I'm sure, since I kind of went all over the place.
Civilizing SELinux Posted Nov 26, 2004 5:22 UTC (Fri) by spender (subscriber, #23067) [Link] Here's the situation: We've filed the bug reports. We've shown that it leaks the base addresses for mmap randomization. It's plain as day to see: run the suid app with LD_DEBUG=all multiple times, and you'll see the library addresses, which will be different each time. Jakub Jelinek's reply has been that it "doesn't leak specific symbol addresses." I'm not sure he understands that if you have information about the mmap base, you can easily calculate a specific symbol address from it. We've shown him another environment variable that does leak specific addresses, and his only reply has been "maybe we should fix this." I've not seen a fix announced yet. That was months ago: they've released updated glibc packages since then not containing any of these fixes.
What do you do when the person in control of the code is too stupid and stubborn to fix his own bugs? Is it my job to hold the hand of this jerk who is too concerned with being a smart-ass to fix his own bugs?
Civilizing SELinux Posted Nov 26, 2004 5:52 UTC (Fri) by bluefoxicy (guest, #25366) [Link] If I can LD_DEBUG=all and run a program, I can find the libraries it uses and find the symbols at offsets, and calculate that. You are indeed correct about this. I also read that LAZY binding allows you to block STDOUT at critical points and exploit race conditions on infinite windows instead of milisecond-wide windows. I for one am glad that Gentoo has a dedicated security team that either creates or abducts any patches that fix ANY security concern, rather than wander around and go "huh that might not really be a problem maybe we shouldn't change it . . . ." bluefox@icebox ~/data/programming/woct $ LD_DEBUG=all su You said something about posting to BugTraq about some of these vulns. Has nobody done this? It may not be the best way to get in bed with them, but if there's a security issue that *needs* *to* *be* *fixed*, it may just be time to hit them in the face with the frying pan of reality. Then again, I don't know; I'm too busy playing FF8 to think about this right now.
Civilizing SELinux Posted Nov 25, 2004 23:55 UTC (Thu) by job (guest, #670) [Link] Every article that describes SELinux tends to describe its functionalitylike a standard MAC ACL like RSBAC, grsecurity or LIDS. Actually it is very different with several new concepts like roles, domains and types. What I would like is an explanation of what SELinux really does, what that system has that is superiour to the simpler systems. Is it worth the extra complexity? It would also be interesting to highlight other differences, such as that SELinux refers to files by their inode and the simpler systems by name. How do the respective developers view the pro/cons of each?
Civilizing SELinux Posted Nov 26, 2004 3:35 UTC (Fri) by spender (subscriber, #23067) [Link] "A vulnerability which, on a current Linux system, could lead to a full system compromise is limited to a denial of service problem, or, at worst, the provision of bogus DNS information."
Wow, talk about optimism. Did I miss something, or did the SELinux folks solve the entire problem of kernel exploits?
Civilizing SELinux Posted Nov 26, 2004 4:17 UTC (Fri) by Method (guest, #26150) [Link] Congratulations on the context destruction there. The context of the above quote was "The end result is that, even if named falls to a remote code exploit, there is very little that exploit can actually do."
So, a code exploit [in named] would be contained.
You speak as if some other access control system solves kernel exploits and we all know that isn't true, don't we ;)
And on the topic of policies.. I'm sure you believe learning mode produces better policies but that isn't true. Learning mode only tells what an application *tries* to do, not what it *should* do. If you knew anything about SELinux or had ever looked at the current policies you'd see the many cases where a policy writer feels an application is overstepping it's bounds and notes that it runs without the requested access and he puts a 'dontaudit' in the policy to squelch the denial while still preventing the access.
Civilizing SELinux Posted Nov 26, 2004 4:47 UTC (Fri) by etbe (subscriber, #17516) [Link] One point that should be mentioned when discussing policy generation is the bugs in applications that are discovered when writing policy.
ifdef(`hide_broken_symptoms', `
dontaudit ifconfig_t dhcpc_t:{ packet_socket udp_socket } { read write };
dontaudit ifconfig_t dhcpc_state_t:file { read write };
')dnl end broken symptoms
The above policy from dhcpc.te is to cover the bugs in the dhcpd which
allow inheriting open file handles when inappropriate. The file handles
in question should be explicitely closed before exec or set to
close-on-exec by fcntl. This is only a minor bug and doesn't seem
exploitable so we just put in dontaudit rules, eventually the dhcpd bugs
will be fixed.
Another example was a kernel bug that allowed init to inherit file handles to the initrd. I believe that I was the first person to discover that bug as it showed up in my log files on boot in an obvious manner. It is possible that someone else found the bug first (AFAIK no-one reported it first), that bug was not particularly difficult to find (it showed up in lsof), but it was a lot more obvious when running SE Linux. These are just two examples of how SE Linux policy when written correctly will expose bugs. If the policy was written in a manner of "let's run it once and allow everything it tries to do" then such bugs would be obscured. Finally there are many situations in which programs have to be permitted access that they don't normally request. Every daemon must be granted syslog access even though some daemons do not use syslog when things work well.
Civilizing SELinux Posted Nov 26, 2004 5:10 UTC (Fri) by spender (subscriber, #23067) [Link] Congratulations on your attempt at a rebuttal by "context destruction." Yes, the context of the above quote was what you said. "There is very little that exploit can actually do." The author then lists in the next sentence what that exploit could do IN THE WORST CASE. Nothing in your text refutes this. You're just trying to attack a straw man because you know you're wrong here. Unless you really believe that the worst case, as the author claims, is that dns replies could be modified.
Also, you speak as if some other system isn't implementing things that aim to stop kernel exploits. Apparently your vast security knowledge has overlooked the RANDKSTACK and KERNEXEC features of PaX. Maybe RedHat will rip these off 3 years from now too and take credit for them.
I've looked at the current policies for SELinux in Fedora Core 3, thanks. If you think they'll actually protect a server, you're seriously deluded. Stop drinking the SELinux kool-aid.
Does RedHat buy exploits for their own code?
Civilizing SELinux Posted Nov 26, 2004 5:34 UTC (Fri) by Method (guest, #26150) [Link] I said "access control systems" also.. Nothing keeps someone from running PaX with SELinux as Hardened Gentoo's SELinux implementation does. Those have absolutely nothing to do with mandatory access control (The scope of SELinux is MAC only)
Do you want some sort of prize for successfully integrating someone elses memory protections into grsec.. PaX is in no way reliant on your (or anyone elses) access control systems, in fact we have SELinux permissions to control PaX in Gentoo.
I'm not talking about Fedora Core 3 or it's policies, I see nothing refering to that.
As for the rest of the comment, if you have beef with Redhat and/or Exec-Shield (as you clearly do) take it up with them and not SELinux. SELinux wasn't developed by Redhat, they merely implement it. You have made zero objections to SELinux and only to Fedora's implementation of it (and not really much there)
SELinux also has other uses that you (and other anti-SELinux zealots) seem to be unable to address. SELinux allows strong control on information flow. There exist many environments where information flow restrictions are absolutely necessary and SELinux has the ability to arbitrate that on many more access vectors that grsec, IPC for example. (and this isn't all, I'd rather not fill up this comment with the 53 object classes SELinux covers)
Further, there exist tools *today* to analyze SELinux policies for possible information flow and execution paths, does grsec have those?
All-in-all SELinux is a very professional project with a great community and great collection of tools. I'm sorry you feel the need to FUD it.
For future trolling please note that:
Civilizing SELinux Posted Nov 26, 2004 5:55 UTC (Fri) by spender (subscriber, #23067) [Link] Again, the same old "granularity = security" argument, which is basically the only position SELinux users can have. As we all know, inserting data into message queues (a HUGE attack vector, from all the evidence I've seen on the Internet) is much more important than preventing kernel exploits. Clearly, the best security solution is one that focuses on these WIDELY used attack vectors like using gettimeofday() and semaphores, and ignores things like kernel exploits, keeping X from writing outside of necessary regions in /dev/mem, preventing arbitrary data writes to /etc/shadow, etc.
Nothing keeps someone from running PaX with SELinux indeed, but that doesn't mean SELinux does the things PaX needs to be used in production. SELinux does none of this other than using the PaX MAC hooks. So sure, someone can use PaX with SELinux, and they'll have a system wherein PaX can be easily bypassed, almost as bad as Exec-Shield.
I don't think you understand at all the userbase you're trying to force SELinux upon (I can tell you, they don't even know what IPC stands for, let alone know what its security implications are), and that is why SELinux will never be sucessful, no matter how much hype you continue to generate about it.
Civilizing SELinux Posted Nov 26, 2004 6:30 UTC (Fri) by bluefoxicy (guest, #25366) [Link] SELinux CAN be deployed with PaX, as method said. As I said in an earlier post, we don't need SELinux to end all security holes; we need SELinux (or RSBAC or GRSec or something), PaX, the IBM SSP patch, heavy code auditing (mudflap?), and several other things. We also need administrators who are awake and paying attention, despite the impenetrable fortress they live in; holes are only useful until someone sees them and fixes them, and if you're not looking, neither of those happen. I cannot comment on which MAC system is "best," but I will say that based on the arguments given here, it seems that SELinux and GRSec both have components that eachother do not have. Now I suggest you both stop slapping at eachother and screaming like two geeks from Revenge of the Nerds fighting over a girlfriend and start taking serious looks at what each system is missing. Both of you are claiming the other system is lacking; fix both. We don't stop l33t h4x0rz skr1pt1k1dd13z by standing around seeing who can urinate the longest off the side of a building.
Civilizing SELinux Posted Nov 26, 2004 7:06 UTC (Fri) by spender (subscriber, #23067) [Link] Apparently you didn't grasp the content of my post, as noted by your comment: "SELinux CAN be deployed with PaX." If hearing it from me that slapping PaX onto an SELinux machine does not constitute production usage of PaX, ask the PaX team. They'll tell you the same thing. But of course, you know better than I do. But if that's your belief, please do continue using PaX and SELinux together (since Method is such an expert on all things security-related and is such close friends with the PaX team), and enjoy your false sense of security.
Civilizing SELinux Posted Nov 26, 2004 7:26 UTC (Fri) by bluefoxicy (guest, #25366) [Link] How about:
PaX & SELinux & whatever from GRSecurity is useful & Forkbomb Protector & IBM Stack Smash Protector & Stateful Firewalling (netfilter) & Packet filter firewalling (netfilter) & Dan's Guardian & ClamAV (after adding heuristics) & snort-inline & DigSig & UML & Discressionary Netfilter (non-existant hack that could be done using iptables, sudo, and some scripts)
SE isn't everything. PaX isn't everything. GR isn't everything. Firewalls aren't everything. Stack smash protection isn't everything. You need to combine everything to get everything.
Again, I won't say either of you is right; I'm just concerned that this argument is a poor way to convey your points, and that you are dwelling on defending your egos far too much more than you are on discerning what's wrong on each side and fixing those.
Civilizing SELinux Posted Nov 26, 2004 7:56 UTC (Fri) by spender (subscriber, #23067) [Link] Nope. You missed the point again. I'm not talking about having a complete security system. I'm saying that there are things that are discussed in the PaX documents that someone implementing PaX in production environments must handle. PaX itself does not handle these things because they may be implemented differently by different integrators. SELinux does not implement any of these things. The only thing PaX-related that SELinux implements is the MAC hook, which is more of a useful feature than a necessary component of the PaX model.
All this bragging about "information flow graphs" is ridiculous. The assumption involved (that at no point was a kernel exploit used) in such graphs is one that no security-conscious person can hold. These graphs are a guarantee of nothing (despite claims we've seen to the contrary already). Ask yourself what's more probable: that someone owns the system by finding some app on the system that uses message queues, then sends some specific data to it that causes a system compromise...eventually...somehow, or that the attacker owns the system by using a kernel exploit and bypassing SELinux completely? I don't know what world Method lives in (though I surmise it's an idiot's ivory tower) or what kind of attackers exist in this world, but any real world experience should certainly give one pause when one hears this kind of propoganda from SELinux proponents.
Civilizing SELinux Posted Nov 26, 2004 16:51 UTC (Fri) by bluefoxicy (guest, #25366) [Link] I'm not missing the point. I'm saying that we need to focus on more important things, like correcting these issues. I'm fairly sure Method is only concerned with GR vs SE in the context of the ACL, and is irritated by your trying to justify your own MAC system's shortcomings with (valid) points about the extra restrictions GR brings along.
Perhaps reimplement the GR protections around SELinux and try to get them into mainline?
Civilizing SELinux Posted Nov 26, 2004 19:55 UTC (Fri) by riel (subscriber, #3142) [Link] I've sold all my Exec-Shield exploits (that still work!), otherwise I'd offer those as well ;\Selling exploits for money?! That kind of attitude worries me...
|
|||||||||||||