LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Signed Executables.

Signed Executables.

Posted Mar 2, 2007 6:57 UTC (Fri) by tetromino (subscriber, #33846)
In reply to: Signed Executables. by aashenfe
Parent article: Hunting for Rootkits

You have basically described a selinux system with a gpg-aware package manager.

(Log in to post comments)

Signed Executables.

Posted Mar 2, 2007 15:34 UTC (Fri) by aashenfe (guest, #12212) [Link]

Very true. SELinux can and probably does provide this and way much more.

I think "way much more" might be the problem.

When I'm looking around for different howto's for certain setups, a number of time it says they disabled SELinux to get the system to work correctly. I try to leave SELinux enabled if I can, but sometimes I still give up and disable it. I'm sure there is a way to configure SELinux correctly, and maybe I'm irresponsible for not figuring it out.

I like the Idea of signed executables because it targets one security question. "Do I let this executable run?" SElinux or AppArmor can then answer the harder to setup question "What do I let this executable do? "

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds