Re: [RFC] Virtualization steps
From: Eric W. Biederman
Date: Fri Mar 31 2006 - 11:38:37 EST
Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
> On Thu, 2006-03-30 at 23:00 -0700, Eric W. Biederman wrote:
>> I do still need to read up on the selinux mandatory access controls.
>> Although the comment from the NSA selinux FAQ about selinux being
>> just a proof-of-concept and no security bugs were discovered or
>> looked for during it's implementation scares me.
>
> Point of clarification: The original SELinux prototype NSA released in
> Dec 2000 based on Linux 2.2.x kernels was a proof-of-concept reference
> implementation. I wouldn't describe the current implementation in
> mainline Linux 2.6 and certain distributions in the same manner. Also,
> the separate Q&A about "did you try to fix any vulnerabilities" is just
> saying that NSA did not perform a thorough code audit of the entire
> Linux kernel; we just implemented the extensions needed for mandatory
> access control.
>
> http://selinux.sf.net/resources.php3 has some good pointers for SELinux
> resources. There is also a recently created SELinux news site at
> http://selinuxnews.org/wp/.
Thanks. I am concerned that there hasn't been an audit, of at least
the core kernel.
My first interaction with security modules was that I fixed a but
where /proc/pid/fd was performing the wrong super user security
checks and the system became unusable for people using selinux.
Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/