Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Red Hat Bugzilla would be a good start...
Quotes of the week
Posted Apr 20, 2006 12:15 UTC (Thu) by nix (subscriber, #2304)
Posted Apr 20, 2006 18:34 UTC (Thu) by smoogen (subscriber, #97)
I remember having to go through a LOT of systems in the mid/late 1990's where almost everything had been chmod'd 666 or 777 because something hadnt worked and that was the fix to get whatever was broken working.
Not saying that selinux isnt too complicated.. but my feeling of deja-vu is strong.
Posted Apr 22, 2006 22:00 UTC (Sat) by nix (subscriber, #2304)
Complexity is the enemy of security, and having used it for a while I'm fairly sure that SELinux is way over there on the `too complex' axis.
Posted Apr 20, 2006 20:58 UTC (Thu) by jeskritt (guest, #4092)
1) Add them to your /etc/selinux/targeted/src/policy/domains/misc/local.te
2) then "make load" in the /etc/selinux/targeted/src/policy dir to load your new policy
3) file a bugzilla report with the new rules and why.
you'll need the policy sources installed
Posted Apr 21, 2006 9:37 UTC (Fri) by rwmj (subscriber, #5474)
Posted Apr 22, 2006 0:48 UTC (Sat) by erich (subscriber, #7127)
When you're talking iptables this would be using the LOG target with a rate limit, then adding approriate iptables rules for the good traffic - then setting OUTPUT to DROP by default...
Any whitelist based (read: reject by default, the only reliable approach to system security) system will need to learn what acceptable behaviour is.
AppArmor needs this kind of "training", too. Except that AFAIK they have a tool do that mostly automatically, whereas the SELinux reference policy is hand-written to make sure that only needed permissions are granted.
SELinux policy files are already very complete, they contain information for hundreds (literally, I just counted 197 policy modules) different services. And no, "ls" is not a service, it doesn't have a policy of it's own... we're talking large, mostly networking applications here.
However, not all features in all services have already been whitelisted. I guess you might not even want to whitelist all of them (thats why there are tuneables/booleans in SELinux). And every now and then you'll be using a local extension.
For example, my OpenVPN server does update the DNS server and it has a status file, which is then read by munin for statistics.
For obvious reasons, OpenVPN *by default* was not allowed to update my DNS or even write it's state file. Nor was munin allowed to read the status file (which has no common location, this is all my own scriptwork)
Posted May 14, 2006 5:50 UTC (Sun) by pimlott (guest, #1535)
He should at least put a notice on his web page: "Please don't attack me for a couple weeks. Thanks."
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds