User: Password:
|
|
Subscribe / Log in / New account

SELinux shortcomings

SELinux shortcomings

Posted May 4, 2006 16:56 UTC (Thu) by alogghe (subscriber, #6661)
Parent article: The AppArmor debate begins

As I understand it-

You can't secure a mounted nfs share with SELinux because it can't apply its labels (and I wonder which other filesystem types that wouldn't work either).

AppArmor would allow you to secure (to the level apparmor does) pretty much any path in the system and so you can secure an nfs/smb/anything mount.

For me this is pretty critical in making a choice of security systems.

Attention captain obvious- nfs security shortcomings are offtopic in replies ;) .


(Log in to post comments)

SELinux shortcomings

Posted May 5, 2006 1:10 UTC (Fri) by sshimko (guest, #37560) [Link]

SELinux supports context based mounts so while it is not currently possible to label NFS files (although this has been explored) it is possible to label the entire mounted file system.

So what you're saying is that you'd rather have security policy enforced across arbitrary mount points? So if I mount a NFS share on /mnt, /media, and /home the security policy is completely different for each? This doesn't sit well with me...

SELinux shortcomings

Posted May 5, 2006 5:13 UTC (Fri) by alogghe (subscriber, #6661) [Link]

Yes we would need security enforced at different levels/files in the mount points and selinux would be too course grained (just on/off at the mount point itself).

Network based filesystems provide a great deal of flexibility that we need here in the trenches ;)

Heh it's funny how some of us see the different policy against the different pathname/same share as a useful feature and it makes other people paranoid.

It's dangerous I agree but so is any powertool.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds