Re: NSA SELinux, HP-LX

Top Page
Author: Rafael 'Dido' Sevilla
To: Paolo Alexis Falcone, penguignus-2003
Subject: Re: NSA SELinux, HP-LX
On Sun, Apr 06, 2003 at 12:04:52AM +0800, Paolo Alexis Falcone wrote:
> While the concepts behind SE Linux is quite commendable, that kernel
> patch is quite very intrusive (it breaks a lot of applications unless

You can't make an omelette without breaking eggs. ;) Seriously, the only
applications that it would break are those that might violate the
security policy that you set. That means setuid root applications or
applications meant to be run as root for the most part.

> you patch them also), and is yet another layer of indirection besides
> the already existing root.

And this is a bad thing how? I believe the technical term is "mandatory
access control". Because no traditional Unix supports mandatory access
control by default, no Unix-like OS has ever gotten anything above a C2

The master 'root' account is from a security standpoint a single point
of failure. Anything that has to open a raw socket, alter system files,
or even do something as basic as bind a port with a number between 1 and
1023 must have root privileges. There are way too many things that
programs need to do that require access to root privileges, and patches
like selinux and lids are ways of dividing these many powers into
smaller pieces, so now a program which needs to bind a low port need not
be granted all of the many privileges of root. Without this, you're
basically trusting that all of your root-run and setuid programs will
only do what they're supposed to do. With this, you're entrusting them
only with the powers they need. I for one believe this is worth the
extra work.

Rafael R. Sevilla <dido at imperium dot ph>    +63(2)8123151
Software Developer, Imperium Technology Inc.    +63(917)4458925
 " nothing else but a means for obtaining for the rulers
  their ambitions and covetous desires, and for the ruled the abdication
  of human dignity, reason, and conscience, and a slavish enthralment
  to those in power."
ManilaCon 2003 GNU/Linux Hardening Team Coordination List
PenguiGnus-2003@??? (#PLUG @
Searchable Archives: