[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Core 2 SELinux installation

On Fri, Apr 30, 2004 at 08:34:44AM -0400, Stephen Smalley wrote:
> So how would people feel about a separate relaxed policy that allows
> everything in the system to run completely unconfined except for a small
> set of specific services, e.g. apache, bind, postfix, ...
> That would ensure that SELinux wouldn't get in the way of users, while
> providing some protection benefit for network-facing services.
While I think that a relaxed policy might be useful to server admins who
would rather not fix their admin scripts, etc., the full policy ought not
be terribly burdensome on a dedicated server.

It is on the desktop that SELinux potentially offers the greatest benefit
and the greatest burden.  Client apps (and particularly GUI client apps) --
browser, e-mail, IM, media players, will be targeted.  We laugh at poor
MS Outlook users, but social engineering works. A measurable fraction of
Linux users will inevitably read their e-mail and follow that link,
look at that picture or video clip, play that game applet, etc.  It
is the client apps that need confinement.

While exploiting a client app doesn't immediately give the attacker
admin privileges, that's largely irrelevant if the purpose of the
attack is to (1) harvest, destroy, or modify the user's data, or (2)
use the client at a zombie for some purpose.

Confining Postfix and not Mozilla is like double-locking the front door,
but leaving the bathroom window open.


	Bill Rugolsky

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]