Re: New stacker performance results

From: Stephen Smalley (sds@private)
Date: Wed May 25 2005 - 09:47:42 PDT

On Wed, 2005-05-25 at 12:37 -0400, Stephen Smalley wrote:
> On Wed, 2005-05-25 at 12:36 -0400, Valdis.Kletnieks@private wrote:
> > Real-life example:  There are many sites who do *not* necessarily need a
> > full-blown SELinux, but *do* want to express a policy that basically boils down
> > to "A chroot'ed process is not allowed to XYZ".
> > 
> > It appears the only way to do this inside SELinux is to define a special
> > chrooted_exec_t and force an auto_trans on exec.  And in general, it's very
> > hard to write a predicate that says "A process in condition/state X" - one has
> > to enumerate all the possible binaries and create a separate
> > "might_do_x_exec_t" (particularly interesting if you have binaries that might
> > do X if run one way, but not another (think anything that behaves differently
> > if launched from Cron) and start writing policy.  And if a given process might
> > end up in X *or* Y *or* Z, things start getting very ugly...
> The difficulties in creating an effective jail have nothing to do with
> SELinux per se, and trying to do one without the full range of control
> offered by SELinux is likely to expose you to holes.  

BTW, SELinux does support dynamic context transitions these days via
setcon(3).  Not that that I'd recommend using it over exec-based
transitions, mind you, but it does exist.

Stephen Smalley
National Security Agency

This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 09:57:19 PDT