FC4 kernel performance
Russell Coker
russell at coker.com.au
Fri Jun 24 07:49:02 UTC 2005
On Friday 24 June 2005 01:08, Paul A Houle <ph18 at cornell.edu> wrote:
> >I have doubts about such play machines except as a learning tool, but if
> >you are interested, Russell Coker has a SELinux play machine available
> >with information at:
> >http://www.coker.com.au/selinux/play.html
The aims of the SE Linux play machines are to teach people about SE Linux and
to test the policy. Quite a number of improvements have been made to the SE
Linux policy (including adding the staff_r and support for easily adding more
roles) as a result of this.
> Yeah, I thought about this a lot last night, and realized that
> even if the SELinux implementation in the kernel was perfect,
> everything hangs on the userspace implementation.
Are you concerned about crond running a cron job as sysadm_r:sysadm_crond_t
instead of user_r:user_crond_t? If so then the risk is smaller than the risk
of running a job as UID 0 instead of UID 1000 due to the strict controls on
creating crontab files and the checks on the context of the crontab files
before running the cron jobs.
On a machine running the strict SE Linux policy a bug in sshd, crond,
unix_chkpwd, or login could be used to crack a system. On a machine not
running SE Linux bugs in those programs could be used even more easily than
on a SE Linux system, as well as bugs in any SUID program (of which there are
many).
> There's a certain
> emotional reaction that people get from hearing that you can log in as
> 'root' and it's harmless,
It demonstrates that SE Linux access controls restrict all operations that a
program may perform. It's recommended that you plan on using Unix
permissions as another layer of defense, but it has been shown that SE Linux
controls everything.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the devel
mailing list