FC4 kernel performance

Jeff Spaleta jspaleta at gmail.com
Wed Jun 22 13:16:14 UTC 2005


On 6/22/05, Paul A Houle <ph18 at cornell.edu> wrote:
>     It's not so clear that SELinux helps much against real attacks.  It
> would take a much tougher security model than the Unix model or even the
> SELinux model to stop the virus and zombie infections that we're seeing
> in the Windows world.  Things like NX that prevent or complicate buffer
> overflow attacks may be more useful.
> 
>     If,  for instance,  I can find a way to execute arbitrary code in
> Firefox or Thunderbird,  I can install something on your computer that
> runs as you.  It can perpetuate itself by putting itself in your
> .profile or in a cron job.  It can make socket connections to anywhere,
> and accept socket connections,  so long as the port number is >1024.
> This process can send spam,  do network scanning,  try to infect other
> machines,  install a keystroke logger,  let me look through your
> personal files (and other people's files if the permissions are
> permissive,)  and do plenty of other things.

I think there is a misunderstanding as to the full capabilities of
selinux can do as compared to the limited set of protections provided
in the current default targetted policy.  I'm pretty sure that selinux
can stop the attack vectors you mention here if selinux policy is
constructed accordingly.

-jef




More information about the devel mailing list