<p dir="ltr"><br>
Il 19/Ago/2014 17:10 "Tomas Hozza" <<a href="mailto:thozza@redhat.com">thozza@redhat.com</a>> ha scritto:<br>
><br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> Hello.<br>
><br>
> ISC is working on new BIND 9.10 release which includes the seccomp<br>
> functionality. It can be turned on by configuring BIND before build with<br>
> "--enable-seccomp".<br>
><br>
> ISC asked me to kindly ask Fedora community if they would be willing to<br>
> test it. Currently I'm working on rebasing BIND to 9.10 in rawhide.<br>
> However it is still not finished. Since DHCP (including dhclient)<br>
> depends on BIND libraries I'm not able to easily provide a testing RPMs<br>
> that would be installable.<br>
><br>
> In the future I would like to turn the feature on by default.<br>
><br>
> So if you are willing to test the feature, you can download latest BIND<br>
> 9.10.1b2 on <a href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</a><br>
><br>
> Configure it with "--enable-seccomp" and you're good to go.<br>
><br>
> You can send your feedback to <a href="mailto:bind-beta-response@lists.isc.org">bind-beta-response@lists.isc.org</a>,<br>
> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> or <a href="mailto:bind-bugs@isc.org">bind-bugs@isc.org</a><br>
><br>
> Some words about the feature from the contributor:<br>
> "It goes further than a chroot. chroot limits an attacker to a<br>
> filesystem. it doesn't prevent the attacker from running his "exploit"<br>
> aka nefarious code and making socket connections over the internet that<br>
> would give him some kind of backdoor access where he can remotely<br>
> execute his code.<br>
><br>
> That's where seccomp kicks in, it acts as a 2nd wall of defence. In case<br>
> of a security hole being present in the server process, it goes further<br>
> than a chroot, it prevents the attacker from making socket connections<br>
> orexecuting his code, as his "playing field" is significantly reduced.<br>
> There's very little he can do.”</p>
<p dir="ltr">Are there some duplication of security feature that some mac system offer as selinux, in first place ? Sure someone can Tell that selinux could be disabled by the lazy sysadmin.</p>
<p dir="ltr">Thanks</p>
<p dir="ltr">Best regards<br>
><br>
> Thank you.<br>
><br>
> Regards,<br>
> - --<br>
> Tomas Hozza<br>
> Software Engineer - EMEA ENG Developer Experience<br>
><br>
> PGP: 1D9F3C2D<br>
> Red Hat Inc. <a href="http://cz.redhat.com">http://cz.redhat.com</a><br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v1<br>
><br>
> iQEcBAEBAgAGBQJT82i/AAoJEMWIetUdnzwtooYH/1hffLhpDtY1zTPNVtSlFLUx<br>
> 236mJQGZMS5jsHAKPtd354qLCSMSIBTEeeGPCUkV9YC3ZtrF+wT6FCN1XFgDylpr<br>
> 7S2toCAVOpjbPIUIOJZ8HvRZENb//KGxUHg8GrlIfHZMeXB9EXhvaTcxLC1QTX04<br>
> JSZyQKXIaDWurTGM/AQESAwHkIWK1vaubmrI2dt8L0mp9e5RWc3N/sb5XAup0jfa<br>
> zfkP/oPsmeS6mZvKdoc/BiwDDj8bLm8NBLHFO++tES0e43HnWAo9+H4HqSNuX5JQ<br>
> 0q4a11zy55VtL8G99kzGN64gdvtXbiNDVuxulecWxxK9BUncHv3aXu5t4ggO0yg=<br>
> =MtKc<br>
> -----END PGP SIGNATURE-----<br>
> --<br>
> devel mailing list<br>
> <a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/devel">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
> Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct">http://fedoraproject.org/code-of-conduct</a></p>