FC4 kernel performance
Alan Cox
alan at redhat.com
Wed Jun 22 14:46:06 UTC 2005
On Wed, Jun 22, 2005 at 08:53:10AM -0400, Paul A Houle wrote:
> It's not so clear that SELinux helps much against real attacks. It
> would take a much tougher security model than the Unix model or even the
> SELinux model to stop the virus and zombie infections that we're seeing
> in the Windows world. Things like NX that prevent or complicate buffer
> overflow attacks may be more useful.
They serve very different purposes. NX tries to help protect against certain
kinds of code flaw attacks. SELinux models can also try and protect users
against themselves.
> If, for instance, I can find a way to execute arbitrary code in
> Firefox or Thunderbird, I can install something on your computer that
> runs as you. It can perpetuate itself by putting itself in your
> .profile or in a cron job. It can make socket connections to anywhere,
If the SELinux ruleset is right then except for the outgoing connections that
isnt clear.
Alan
More information about the fedora-devel-list
mailing list