Fedora Core 2 Test 2 - delayed
Russell Coker
russell at coker.com.au
Fri Feb 27 21:39:56 UTC 2004
On Sat, 28 Feb 2004 05:25, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> On Fri, 2004-02-27 at 13:19, James Harrison wrote:
> > Can we have two kernels - one with SELinux and one without.
>
> Boot with selinux=0, and the SELinux code is disabled.
Also note that the selinux=0 code was written by James Morris not the NSA. ;)
On Sat, 28 Feb 2004 05:19, James Harrison <jamesaharrisonuk at yahoo.co.uk>
wrote:
> I read the wonderful news article about SELinux and how the NSA have
> inserted their "security" code into Linux, but I cant see any technical
> detail.
SE Linux implements the "domain type" security model. Every object that can
be accessed by a process (dir, file, socket, etc) has a type. Every process
has a domain. You have a database of rules specifying which domains can
access each type loaded by the kernel.
When any access is requested first standard Unix checks are performed (IE
UID/GID etc), then after those checks are passed SE Linux checks are
performed.
If the Unix checks deny an operation then the core SE Linux code will never
even see it. There is talk of making changes to this at some future time,
however the impression is that the main kernel people don't like such ideas.
Also the current operation is good for the time when SE Linux is becoming
popular. Lots of people can be expected to stuff up their policy, and with
the current setup they can't make things any less secure than a regular Linux
system.
The domain that a process runs in can be determined by the type of the
executable (EG /sbin/init has type init_exec_t and when kernel_t exec's it
the domain transitions to init_t). The domain can also be specified by the
process calling exec (so that /bin/login and sshd can specify the correct
context for a shell).
There is a lot more than that, roles, identities, constraints, assertions, and
MLS (which we have no immediate plans to put in Fedora). But when you first
start using SE Linux you don't have to worry too much about that.
On Sat, 28 Feb 2004 02:49, "Mike A. Harris" <mharris at redhat.com> wrote:
> It's been scrutinized fairly heavily from what I understand. One
> of the beautiful things about open source is that anyone can
> scrutinize the source, so it is much more likely to have any
> security holes found and fixed in it. That's irrespective of
> wether they would be planted or accidental of course.
I know several people who have read through all the SE Linux kernel code and
looked for bugs/trojans/etc. Last time I spoke to them about such issues
none of them were willing to publically announce this. Claiming to be good
enough at kernel coding to find any back-doors written by experts would be a
significant boast. But I think that having a number of people look through
the code gives a good degree of assurance, maybe one or two people might miss
a bug, but someone would find it.
Finally, there are lots of people who are trying to make a career in computer
security by finding vulnerabilities. If they could find a bug in SE Linux
(either deliberate or accidental) then they would become quite famous very
quickly.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the devel
mailing list