Re: Security patches
On Sun, 4 Jan 2004 07:53, martin f krafft <email@example.com> wrote:
> also sprach Russell Coker <firstname.lastname@example.org> [2003.12.19.0229 +0100]:
> > In terms of LSM protection against this, if you use SE Linux then
> > all aspects of file access and module loading are controlled by
> > the policy. I am going to write a policy that implements
> > something similar to BSD secure levels so that you can put
> > a server into a mode where all kmem and module load access is
> > disabled. That should be all you need.
> Is this current work in progress? Do you have an ETA?
No ETA at the moment. But it will be done.
> also sprach Henrique de Moraes Holschuh <email@example.com> [2003.12.19.1018
> > I think there is a LSM "BSD secure levels" module around (that has
> > nothing to do with SE Linux), which should be much easier an
> > install for those who want to play with BSD secure levels in
> > Linux.
> The question is: does it mix with SE Linux? I always wondered about
> LSM... they are stacking modules, right? So this would have to come
> before or after SELinux, at which point one can take control from
> the other, no?
LSM in it's current form only supports denying access. So if you have two
modules stacked then either one can prevent an operation, but if one module
prevents it the other can not allow it.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page