Re: New stacker performance results

From: Stephen Smalley (sds@private)
Date: Wed May 25 2005 - 09:59:44 PDT


On Wed, 2005-05-25 at 13:03 -0400, Valdis.Kletnieks@private wrote:
> On Wed, 25 May 2005 12:37:59 EDT, Stephen Smalley said:
> 
> > The difficulties in creating an effective jail have nothing to do with
> > SELinux per se, and trying to do one without the full range of control
> > offered by SELinux is likely to expose you to holes.  
> 
> Right.  The point was that even if you *are* using SELinux, trying to
> satisfy a security policy that says "A chrooted process may not..."
> is difficult.

Yes, but with SELinux, you have a chance at doing it because you have
comprehensive controls and you can apply a tool like apol to check
whether said process can ultimately reach a given state.  If you choose
to implement your own little security module from scratch, you are much
less likely to hit the mark.

-- 
Stephen Smalley
National Security Agency



This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 10:09:08 PDT