I must first admit that I am new to linux, I am not qualified to suggest a feature, so please consider this a question.
IF its true that when SELinux is fully enabled the restrictions can cause some problems when programs do things they are supposed to do but normally don't, THEN I have an idea.
What if an intrusion detection system were to inform the SELinux server that an intrusion is likely happening, which triggers a change from non-enforcement mode to enforcement mode?
Would this "raise the shields" method be useful for situations where enforcement mode just isnt right, or is this more of a fundamental misunderstanding on my part of how SELinux works...?
I think in the future this NSA project will be an example of the government receiving a 100 fold return on their investment, even considering that SELinux isn't likely to be used in classified systems.
_________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
On Tue, 2004-09-14 at 04:11, josh baverstock wrote:
I must first admit that I am new to linux, I am not qualified to suggest a feature, so please consider this a question.
IF its true that when SELinux is fully enabled the restrictions can cause some problems when programs do things they are supposed to do but normally don't, THEN I have an idea.
What if an intrusion detection system were to inform the SELinux server that an intrusion is likely happening, which triggers a change from non-enforcement mode to enforcement mode?
Would this "raise the shields" method be useful for situations where enforcement mode just isnt right, or is this more of a fundamental misunderstanding on my part of how SELinux works...?
Switching back and forth between permissive mode and enforcing mode in this manner is not a good idea, as: - there is no SELinux protection at all while in permissive mode (and the IDS trigger to switch to enforcing mode may be processed too late to prevent the attack), - the lack of any enforcement will likely cause your system to migrate into a state of operation while running in permissive mode that will break in spectacular fashion when you are suddenly switched into enforcing mode by some external event, in which case your IDS suddenly becomes a vector for an easy DOS attack.
It would be better to instead define a policy that matches your security goals in the first place, even if they are modest, and run enforcing all the time with that policy (e.g. see the targeted policy in FC3/devel). You could also try to implement multiple "levels" of security in a single policy using the runtime policy boolean support, and have your IDS trigger well-defined changes in the policy state by changing one or more policy booleans in response to events.
selinux@lists.fedoraproject.org