On Mon, 1 Apr 2002 22:51, Stephen Smalley wrote: > > be stacked with SELinux? In particular, it seems like > > Openwall would be useful to stack with SELinux. > > Not currently. At present, the SELinux security module only functions as > a primary security module and provides minimal support for using either > the dummy security module (traditional superuser logic) or the > capabilities security module as a secondary security module. The > recommended configuration is to use SELinux with capabilities. I've just had a look at what the LSM patch provides, it seems that stack protection is not an option. As Stephen notes the special sym-link handling for /tmp doesn't work. The special handling for file handles 0, 1, and 2, for SUID programs works. I haven't tested the CONFIG_OWLSM_RLIMIT_NPROC feature as it's difficult to test and not something that I regard as being so essential. For the symlinks problem, a suitably restrictive set of SE permissions can greatly limit it. In my SE policy files I'm configuring most daemons to have little access to files outside their domain. So a sym-link based attack on one of those daemons won't do any good. I am configuring daemons to lack read access to files and directories owned by user_t as much as possible! Regarding the protection against stack smashing, why isn't that in LSM? -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 14:31:41 PST