LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The SELinux Sandbox and small utility programs

The SELinux Sandbox and small utility programs

Posted May 27, 2009 15:23 UTC (Wed) by davecb (subscriber, #1574)
In reply to: Walsh: Introducing the SELinux Sandbox by Kit
Parent article: Walsh: Introducing the SELinux Sandbox

Back in the days of mainframes, you specified the files or other resources a program was going to need in a "job control" language (JCL).

If one collects and saves the jcl for all sorts of programs, we can then use SE Linux policies to limit them to only using the resources they need, making attacks by subverting programs much more difficult. Now an attacker needs to not only modify the program, but also change an SE Linux policy.

--dave

(Log in to post comments)

The SELinux Sandbox and small utility programs

Posted May 27, 2009 18:57 UTC (Wed) by Trelane (subscriber, #56877) [Link]

could this perhaps be done through extended attributes?

The SELinux Sandbox and small utility programs

Posted May 27, 2009 19:10 UTC (Wed) by davecb (subscriber, #1574) [Link]

The label and permission data is stored in an attribute of sorts, although they're different from the user-settable extended attributes.

--dave

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds