RPM security (a newbie question)
maximilianbianco at gmail.com
Thu Apr 2 13:50:51 UTC 2009
Stanisław T. Findeisen wrote:
> Todd Zullinger wrote:
>> And, of course, on top of compiler options and firewalls, SELinux is
>> one more layer that is added to protect against problems in upstream
>> code. If upstream code has some hole that tries to mail off
>> /etc/passwd somewhere, this is very likely to be denied by SELinux.
>> And when someone reports the denial, Dan, Miroslav, and the other
>> SELinux maintainers aren't too likely to allow it without asking what
>> good reason the upstream code would have to take such an action.
> SELinux will not help you more if it gets overwritten/rootkited by
> malicious RPM package (for instance during the install process).
> You execute rpm install as root, don't you.
Selinux might help you there but it depends entirely on the policy in
use. SELinux has no concept of "root" as you understand it. In SELinux
root is just another user that can be confined like everyone else, the
current policy maintains the traditional "root is god" sort of thing but
this is not a requirement of SELinux but a requirement of its user base.
As to what protection the current policy in use provides against that
sort of thing, others more qualified may answer in more detail. If
SELinux interests you then read this :
"Any fool can know. The point is to understand" --Albert Einstein
More information about the users