FC4 kernel performance

Russell Coker russell at coker.com.au
Fri Jun 24 07:49:02 UTC 2005 

On Friday 24 June 2005 01:08, Paul A Houle <ph18 at cornell.edu> wrote:
> >I have doubts about such play machines except as a learning tool, but if
> >you are interested, Russell Coker has a SELinux play machine available
> >with information at:
> >http://www.coker.com.au/selinux/play.html

The aims of the SE Linux play machines are to teach people about SE Linux and 
to test the policy.  Quite a number of improvements have been made to the SE 
Linux policy (including adding the staff_r and support for easily adding more 
roles) as a result of this.

>     Yeah,  I thought about this a lot last night,  and realized that
> even if the SELinux implementation in the kernel was perfect,
> everything hangs on the userspace implementation.

Are you concerned about crond running a cron job as sysadm_r:sysadm_crond_t 
instead of user_r:user_crond_t?  If so then the risk is smaller than the risk 
of running a job as UID 0 instead of UID 1000 due to the strict controls on 
creating crontab files and the checks on the context of the crontab files 
before running the cron jobs.

On a machine running the strict SE Linux policy a bug in sshd, crond, 
unix_chkpwd, or login could be used to crack a system.  On a machine not 
running SE Linux bugs in those programs could be used even more easily than 
on a SE Linux system, as well as bugs in any SUID program (of which there are 
many).

> There's a certain 
> emotional reaction that people get from hearing that you can log in as
> 'root' and it's harmless,

It demonstrates that SE Linux access controls restrict all operations that a 
program may perform.  It's recommended that you plan on using Unix 
permissions as another layer of defense, but it has been shown that SE Linux 
controls everything.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the devel mailing list