El dom, 16-01-2005 a las 00:31 +0100, Christian Mayrhuber escribió:
Hi,
I'm not sure if this list is the correct location to report
but I'll try anyway.
A sarge install with a kernel 2.6 does not load any
linux security kernel modules per default, neither
capabilies nor lsm, which is insecure.
That seems the default behavior by now, but loading the capabilities LSM
without the disabling parameter will cause that SELinux or other linux
security modules wouldn't be able to register with the LSM framework.
Also, it's not insecure, it will just lack of capabilities support and
handling withing the LSM framework, indeed, what other "LSM's" are you
talking about?
AFAIK, Vanilla sources come with root_plug, BSD Secure Levels and
SELinux, and they are not enabled at all because:
1) root_plug depends on specific hardware configuration
2) BSD Secure Levels are new from latest 2.6.10
3) SELinux is still "under deployment", so, support is there, but it's
disabled until userland applications are ready and policies get well
designed and tested.
If you think there's something you can do to achieve at least the 3
point, feel free to mail me privately and i will see what we can try to
do.
There's currently an already formed team of members from the Hardened
Debian project and both Ubuntu Linux and Debian projects, for doing such
things, the work is focused on Sid, and in the forthcoming months we
will see the results, hopefully.
Cheers,