On Fri, 2003-11-28 at 00:31, Enrico Scholz wrote:
1. SELinux can protect foreign processes. But is it possible to hide
them in /proc also?
It is not currently possible to hide them. However, the entries in
/proc have the same type as the domain of the running process. So if
you don't allow any operations on that type (including getattr), then
the only thing one can tell is that a process exists at that PID.
2. Is chroot(2) implemented in a safe manner? Or, can parent
of build-roots be protected with SELinux policies? Is a safe chroot(2)
required at all?
Using SELinux, a chroot doesn't provide any additional direct security.
However, you may find it convenient to use a chroot in this instance so
that different sets of packages can be installed, etc.
3. What is the performance impact of the policy checking?
Minimal; IIRC the overhead was something like 1-2% for very system-call
intensive tasks, and negligible after that.
4. How can disk/memory usage restricted with SELinux? Would CKRM be
SELinux does not deal with resource restrictions.
5. Can special mount-operations (e.g. /proc filesystem) be allowed
the policy, or does this require userspace helper also?
The mount system call is restricted, yes.
6. Setup of an SELinux policy seems to be very complicated. How
are holes in a setup?
Assuming that there are no bugs in the kernel, it is impossible to reach
sysadm_t (essentially equivalent to the SELinux "root") if the policy
doesn't very explicitly permit it.
I hope that answers your questions!