FC4 kernel performance

Alan Cox alan at redhat.com
Wed Jun 22 14:46:06 UTC 2005


On Wed, Jun 22, 2005 at 08:53:10AM -0400, Paul A Houle wrote:
>    It's not so clear that SELinux helps much against real attacks.  It 
> would take a much tougher security model than the Unix model or even the 
> SELinux model to stop the virus and zombie infections that we're seeing 
> in the Windows world.  Things like NX that prevent or complicate buffer 
> overflow attacks may be more useful.

They serve very different purposes.  NX tries to help protect against certain
kinds of code flaw attacks. SELinux models can also try and protect users 
against themselves.

>    If,  for instance,  I can find a way to execute arbitrary code in 
> Firefox or Thunderbird,  I can install something on your computer that 
> runs as you.  It can perpetuate itself by putting itself in your 
> .profile or in a cron job.  It can make socket connections to anywhere,  

If the SELinux ruleset is right then except for the outgoing connections that
isnt clear. 

Alan




More information about the devel mailing list