RFE: FireKit
Matthew Woehlke
mw_triad at users.sourceforge.net
Fri Jul 24 20:14:06 UTC 2009
Bill McGonigle wrote:
> On 07/23/2009 06:17 PM, Matthew Woehlke wrote:
>> I have to ask... when are we going to see Linux allow network access
>> based on the checksum of the process that wants to use it? After all,
>> 'doze has had this ability for years. (Maybe SELinux can provide this
>> already?)
>
> Is this a checksum of the binary that got launched? Make sure prelink
> can update whatever database of checksums is being kept. And that
> prelink isn't exploitable. :)
True. For us, something based on SELinux contexts, which should be
dropped by the kernel on any modification (and allowed to be set by
trusted components, say prelink and yum/rpm) is probably as good or
better than using checksums. (Which still requires prelink to be secure,
but then that's already required, as rogue prelink could be wreaking
who-knows-what havoc...)
> This can't be a default on MSW, right? My spam filter's pain would seem
> to deny that possibility.
It's not built into MSW if that's what you mean. It's from Tiny, which I
used before switching totally to Fedora. By "has this ability" I mean
that FW's for MSW exist which have this feature. (Also, Tiny is *not* a
firewall for people that don't know what they are doing; using Tiny is,
I would say, on par with 'vi /etc/sysconfig/iptables' in terms of
user-friendliness. Powerful, really not bad when you know what you are
doing, but absolutely not for 'Joe Sixpack'.)
--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
"unsubscribe me plz!!" -- Newbies
More information about the fedora-devel-list
mailing list