Re: [RFC] Virtualization steps
From: Stephen Smalley
Date: Fri Mar 31 2006 - 09:45:30 EST
On Thu, 2006-03-30 at 23:00 -0700, Eric W. Biederman wrote:
> I do still need to read up on the selinux mandatory access controls.
> Although the comment from the NSA selinux FAQ about selinux being
> just a proof-of-concept and no security bugs were discovered or
> looked for during it's implementation scares me.
Point of clarification: The original SELinux prototype NSA released in
Dec 2000 based on Linux 2.2.x kernels was a proof-of-concept reference
implementation. I wouldn't describe the current implementation in
mainline Linux 2.6 and certain distributions in the same manner. Also,
the separate Q&A about "did you try to fix any vulnerabilities" is just
saying that NSA did not perform a thorough code audit of the entire
Linux kernel; we just implemented the extensions needed for mandatory
access control.
http://selinux.sf.net/resources.php3 has some good pointers for SELinux
resources. There is also a recently created SELinux news site at
http://selinuxnews.org/wp/.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/