[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: brute force ssh attack



Matthew Miller wrote:
[snip]
>>> We need to *address* that, not just
>>> say "this is approximately zero threat". Obviously education is part
>>> of it. A more sophisticated SE Linux could be another.
>> A more sophisticated SELinux would require a more sophisticated user to
>>  administer it.  Catch-22.
>
> Well, *that's* the place where it needs to be more sophisticated. The
> current SE Linux is basically like assembly-language. It needs to be made
> more understandable at a higher-level view -- and then more transparent.

Somewhere along the line, though, that user must have the ability to
change SELinux permissions, and/or have the permissions to change binary
files (for example package updates).

SELinux doesn't provide a way to stop and administrator determined to do
something unwise.  To use your example above (that I snipped), there is no
possible way to stop someone from following steps given in a pop up that
disable SELinux and install a program.  Or give a program the SELinux
permissions it needs to do whatever it wants to.

It still boils down to an education issue.  Don't allow random things to
install on your system.  Don't look at SELinux and file permissions as
things to be worked around because they get in your way.

Take the example a virus that spreads by using a password-protected zip
file, making the user: manually save the file, unzip it (using the
password), manually run the executable.  Nothing short of education can
stop something like that.

--
William Hooper


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]