LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

SE-Linux

SE-Linux

Posted Nov 20, 2003 12:27 UTC (Thu) by simlo (subscriber, #10866)
In reply to: Security updates for old Red Hat releases by maceto
Parent article: Security updates for old Red Hat releases

> Se you don`t wanna change kernel- use Se-linux or lids then

From the very little I know about SE-Linux I still think I can conclude the following:

Even with SE-Linux you will have to upgrade the kernel if a bug is found. I can see no way a system can lock down your access if the system itself is buggy (see X-box forinstance). You might live with the bug if it forinstance gives users root permissions as SE then might catch it. But buffer overflows in the kernel itself can still be used to get arbitrary code executed in the kernel thus avoiding SE as well as normal permission checks. And DOS attacks have ofcourse nothing to do with SE or not.

On the other hand you can better live with bugs in userspace applications like sshd and Apache as the SE system might be able to catch the problems.

Conclusion: Kernel updates are still needed. But you might be able to relax
a bit about other updates.

Again, I don't know so much about SE but I don't believe in magic :-)

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds