User: Password:
Subscribe / Log in / New account

SELinuxDenyPtrace and security by default

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 15:44 UTC (Thu) by jake (editor, #205)
In reply to: SELinuxDenyPtrace and security by default by kees
Parent article: SELinuxDenyPtrace and security by default

> There's no reason to reinvent the wheel. Just use Yama

Yama is nice, for sure, but doesn't it run afoul of the 'no stacking LSMs' problem here? In order to load Yama by default, wouldn't Fedora have to disable SELinux by default? (some would, of course, claim that as a *good* thing, but it seems a little unlikely that Fedora would go that route)

or am I missing something here?


(Log in to post comments)

SELinuxDenyPtrace and security by default

Posted Apr 12, 2012 15:58 UTC (Thu) by kees (subscriber, #27264) [Link]

Right, I give an example of how to stack it:;...

My point being that if Eric Paris was going to write out-of-tree code to handle a case that Yama already handles, why not just use the out-of-tree stacking code instead, and gain all the dynamic policy logic that Yama already provides?

Let's not go that way

Posted Apr 15, 2012 9:48 UTC (Sun) by man_ls (guest, #15091) [Link]

Perhaps because stacking security modules would be an implicit assumption that SELinux is not always the right solution to security module problems, and somehow question Fedora's choice. In a few releases Fedora might feel even that SELinux is not really needed at all, and stop enabling it by default. Then admins who have taken the pains to learn SELinux (and perhaps even write some 100k-line configuration files) would feel cheated, and turn to Debian or (gasp) Ubuntu for their needs. Finally Red Hat would lose its market valuation and Canonical would start trading in the Nasdaq making Shuttleworth immensely rich again. Finally the world would get noticeably warmer from all the space trips he would make, and in 100 years civilization as we know it would crumble. It's a slippery slope!

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds