systrace + selinux + fedora core 4ish?
Colin Walters
walters at redhat.com
Tue Jan 18 03:36:51 UTC 2005
On Mon, 2005-01-17 at 21:03 -0600, Justin Conover wrote:
> http://www.systrace.org/
>
> http://www.citi.umich.edu/u/provos/systrace/linux.html
>
> Anybody, seen/use systrace on FC? What are your thoughts about
> using/adding it to FC?
>
> >From reading a bit about it, looks to be a very good/useful tool and
> was wondering what others thought about it?
My opinion is that it is essentially an inferior implementation of much
of the functionality SELinux provides. It does have some additional
features like the dynamic privilege elevation that seem possibly useful,
but I don't think it makes sense to use systrace just for that.
For example, from the "usr_sbin_httpd" policy:
(http://www.citi.umich.edu/u/provos/systrace/usr_sbin_httpd):
native-kill: permit
As far as I can tell, this rule permits the "unprivileged" httpd to kill
any other process it wants with the same uid, and should the root
portion be compromised, any process can be killed. The language just
doesn't allow you to express anything more fine-grained like the SELinux
TE language does.
More information about the fedora-selinux-list
mailing list