On Sun, 4 Jan 2004 07:53, martin f krafft <[EMAIL PROTECTED]> wrote:
> also sprach Russell Coker <[EMAIL PROTECTED]> [2003.12.19.0229 +0100]:
> > In terms of LSM protection against this, if you use SE Linux then
> > all aspects of file access and module loading are controlled by
> > the policy. I
On Sun, 4 Jan 2004 07:53, martin f krafft <[EMAIL PROTECTED]> wrote:
> also sprach Russell Coker <[EMAIL PROTECTED]> [2003.12.19.0229 +0100]:
> > In terms of LSM protection against this, if you use SE Linux then
> > all aspects of file access and module loading are controlled by
> > the policy. I
Please excuse the delayed response... better ever than never...
Thanks for all comments so far, while LSM/SELinux has been losing
points with me for a while, it is now on the upswing again...
A couple of comments or questions follow:
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [20
Please excuse the delayed response... better ever than never...
Thanks for all comments so far, while LSM/SELinux has been losing
points with me for a while, it is now on the upswing again...
A couple of comments or questions follow:
also sprach Henrique de Moraes Holschuh <[EMAIL PROTECTED]> [20
On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
wrote:
> On Fri, 19 Dec 2003, Russell Coker wrote:
> > In terms of LSM protection against this, if you use SE Linux then all
> > aspects of file access and module loading are controlled by the policy.
> > I am going to wri
On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> On Fri, 19 Dec 2003, Russell Coker wrote:
> > In terms of LSM protection against this, if you use SE Linux then all
> > aspects of file access and module loading are controlled by the policy.
> > I am going to writ
On Fri, 19 Dec 2003, Russell Coker wrote:
> In terms of LSM protection against this, if you use SE Linux then all aspects
> of file access and module loading are controlled by the policy. I am going
> to write a policy that implements something similar to BSD secure levels so
> that you can put
On Fri, 19 Dec 2003, Russell Coker wrote:
> In terms of LSM protection against this, if you use SE Linux then all aspects
> of file access and module loading are controlled by the policy. I am going
> to write a policy that implements something similar to BSD secure levels so
> that you can put
On Fri, 19 Dec 2003 08:02, martin f krafft <[EMAIL PROTECTED]> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent
On Fri, 19 Dec 2003 08:02, martin f krafft <[EMAIL PROTECTED]> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent
On Thu, 18 Dec 2003, martin f krafft wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent that.
Given the patch-the
also sprach Russell Coker <[EMAIL PROTECTED]> [2003.11.30.1324 +0100]:
> LSM was not invented by the SE Linux people, it was requested by
> Linus as a way of enabling the integration of multiple security
> systems into the kernel. It's a pity that the developers of other
> security systems didn't
On Thu, 18 Dec 2003, martin f krafft wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent that.
Given the patch-the
also sprach Russell Coker <[EMAIL PROTECTED]> [2003.11.30.1324 +0100]:
> LSM was not invented by the SE Linux people, it was requested by
> Linus as a way of enabling the integration of multiple security
> systems into the kernel. It's a pity that the developers of other
> security systems didn't
On Montag, 1. Dezember 2003 15:56, Colin Walters wrote:
> On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
>
> > - It needs an extra account ("security officer" with UID 400) which is
> > a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> > password etc.), you can alter anything w
On Samstag, 29. November 2003 11:08, Russell Coker wrote:
> On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > SELinux only uses LSM which makes it easy to port, but seems
> > impractical and even dangerous for real-world use [1][2]. Minor issues
>
> [1] and [2] are matters of o
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> - It needs an extra account ("security officer" with UID 400) which is
> a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> password etc.), you can alter anything which seems like a giant
> security risk to me.
If the password
On Montag, 1. Dezember 2003 15:56, Colin Walters wrote:
> On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
>
> > - It needs an extra account ("security officer" with UID 400) which is
> > a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> > password etc.), you can alter anything w
On Samstag, 29. November 2003 11:08, Russell Coker wrote:
> On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > SELinux only uses LSM which makes it easy to port, but seems
> > impractical and even dangerous for real-world use [1][2]. Minor issues
>
> [1] and [2] are matters of o
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> - It needs an extra account ("security officer" with UID 400) which is
> a pretty bad idea IMHO. Since once you are SO (cracked/sniffed
> password etc.), you can alter anything which seems like a giant
> security risk to me.
If the password
On Samstag, 29. November 2003 10:05, Martin Pitt wrote:
> RSBAC has a lot of nice features and seems pretty well designed, but I
> do not use it because of the following:
>
> - Security policies (ACLs etc.) are altered by calling command line
> programs which modify binary files. I don't quite l
On Samstag, 29. November 2003 10:05, Martin Pitt wrote:
> RSBAC has a lot of nice features and seems pretty well designed, but I
> do not use it because of the following:
>
> - Security policies (ACLs etc.) are altered by calling command line
> programs which modify binary files. I don't quite l
On Mon, 1 Dec 2003 07:46, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> > On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > > It's a pity that the devel
On Mon, 1 Dec 2003 07:46, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> > On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > > It's a pity that the devel
On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote:
> On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > It's a pity that the developers of other security systems didn't get
> > > involved, it wo
* Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > It's a pity that the developers of other security systems didn't get
> > > involved, it would be good
On Mon, Dec 01, 2003 at 07:23:18AM +1100, Russell Coker wrote:
> On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > It's a pity that the developers of other security systems didn't get
> > > involved, it wo
On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > It's a pity that the developers of other security systems didn't get
> > involved, it would be good to have a choice of LIDS, HP's system, DTE,
> > and others
* Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > > It's a pity that the developers of other security systems didn't get
> > > involved, it would be good
On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > It's a pity that the developers of other security systems didn't get
> > involved, it would be good to have a choice of LIDS, HP's system, DTE,
> > and others
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> It's a pity that the developers of other security systems didn't get
> involved, it would be good to have a choice of LIDS, HP's system, DTE, and
> others in the standard kernel.
LIDS uses LSM in 2.5/2.6 kernel series, IIRC.
On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> It's a pity that the developers of other security systems didn't get
> involved, it would be good to have a choice of LIDS, HP's system, DTE, and
> others in the standard kernel.
LIDS uses LSM in 2.5/2.6 kernel series, IIRC.
--
On Sun, 30 Nov 2003 22:33, Martin Pitt <[EMAIL PROTECTED]> wrote:
> On 2003-11-29 21:08 +1100, Russell Coker wrote:
> > It's not a question of how difficult it is to get the grsec patch to
> > apply and work correctly on a Debian kernel. It's a question of whether
> > anyone is prepared to do it.
Hi together!
On 2003-11-29 21:08 +1100, Russell Coker wrote:
> It's not a question of how difficult it is to get the grsec patch to apply
> and
> work correctly on a Debian kernel. It's a question of whether anyone is
> prepared to do it.
If using a Debian-patched kernel is a requirement th
On Sun, 30 Nov 2003 22:33, Martin Pitt <[EMAIL PROTECTED]> wrote:
> On 2003-11-29 21:08 +1100, Russell Coker wrote:
> > It's not a question of how difficult it is to get the grsec patch to
> > apply and work correctly on a Debian kernel. It's a question of whether
> > anyone is prepared to do it.
Hi together!
On 2003-11-29 21:08 +1100, Russell Coker wrote:
> It's not a question of how difficult it is to get the grsec patch to apply and
> work correctly on a Debian kernel. It's a question of whether anyone is
> prepared to do it.
If using a Debian-patched kernel is a requirement then
On Sun, 30 Nov 2003 15:32, Colin Walters <[EMAIL PROTECTED]> wrote:
> However, this is not such a bad idea, if you don't try to be too formal
> about it. If maintainers shipped English descriptions (say,
> README.Security) of what the security implications of their programs
> were, it could be ver
On Sun, 30 Nov 2003 14:53, Colin Walters <[EMAIL PROTECTED]> wrote:
> On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> > of their programs. the system could use a db of installed-package
> > resources. Therefore we would need to create a common language that
> > could be translated to any acl-for
On Sat, 2003-11-29 at 22:53, Colin Walters wrote:
> > Nevertheless I again would like to suggest a policy that forces the
> > maintainers of packages to deliver informations about used system
> > resources
> > of their programs.
However, this is not such a bad idea, if you don't try to be too fo
On Sun, 30 Nov 2003 15:32, Colin Walters <[EMAIL PROTECTED]> wrote:
> However, this is not such a bad idea, if you don't try to be too formal
> about it. If maintainers shipped English descriptions (say,
> README.Security) of what the security implications of their programs
> were, it could be ver
[moved to debian-security, where it belongs]
On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> Even if you're perfectly right with that, I consider it important to
> provide our users the possibility to make their own choice regarding the
> acl systems to use.
You always have a choice to upload
On Sun, 30 Nov 2003 14:53, Colin Walters <[EMAIL PROTECTED]> wrote:
> On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> > of their programs. the system could use a db of installed-package
> > resources. Therefore we would need to create a common language that
> > could be translated to any acl-for
On Sat, 2003-11-29 at 22:53, Colin Walters wrote:
> > Nevertheless I again would like to suggest a policy that forces the
> > maintainers of packages to deliver informations about used system
> > resources
> > of their programs.
However, this is not such a bad idea, if you don't try to be too fo
[moved to debian-security, where it belongs]
On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> Even if you're perfectly right with that, I consider it important to
> provide our users the possibility to make their own choice regarding the
> acl systems to use.
You always have a choice to upload
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> SELinux only uses LSM which makes it easy to port, but seems
> impractical and even dangerous for real-world use [1][2].
The main complaint on those pages seems to be that LSM is only focused
on access control. You may or may not regard that as a
On Sat, 2003-11-29 at 04:05, Martin Pitt wrote:
> SELinux only uses LSM which makes it easy to port, but seems
> impractical and even dangerous for real-world use [1][2].
The main complaint on those pages seems to be that LSM is only focused
on access control. You may or may not regard that as a
On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > Conflicts with almost every other kernel patch, including the patches in
> > the default kernel source. No-one has the skill and interest necessary
> > to make it work with a default Debian kernel.
>
> It may be the hardest thin
Hi!
(moving this thread to -security since both authors gave permission to quote)
On 2003-11-29 18:06 +1100, Russell Coker wrote:
> On Sat, 29 Nov 2003 14:21, Pablo Lorenzzoni <[EMAIL PROTECTED]> wrote:
> > (1) RSBAC - http://www.rsbac.org - Used by Adamantix. It seems to be
> > quite reliable an
On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > Conflicts with almost every other kernel patch, including the patches in
> > the default kernel source. No-one has the skill and interest necessary
> > to make it work with a default Debian kernel.
>
> It may be the hardest thin
Hi!
(moving this thread to -security since both authors gave permission to quote)
On 2003-11-29 18:06 +1100, Russell Coker wrote:
> On Sat, 29 Nov 2003 14:21, Pablo Lorenzzoni <[EMAIL PROTECTED]> wrote:
> > (1) RSBAC - http://www.rsbac.org - Used by Adamantix. It seems to be
> > quite reliable an
50 matches
Mail list logo
