[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ld.so and LD_PRELOAD

On Fri, 2003-06-06 at 18:38, Russell Coker wrote:

> LSM (which SE Linux is built on) does not support permissive controls.  So SE 
> Linux can only deny operations that would otherwise be permitted by regular 
> Unix controls.  So for a recommended configuration you can not make it any 
> more insecure than a standard Linux system no matter what you do.

Sure you can. When you're deciding if you want offer some service on a
box, for example, you weight the costs, including security, against the
benefits. If you've installed SELinux, you probably think it provides
security benefits. So you're going to include it in calculating the
security costs, which will be less because of it. Thus, you are more
likely to offer services.

If it turns out that SELinux doesn't really provide the security bonus
you thought it did --- either due to a bug or wanton misconfiguration
--- you have a less secure box than a standard Linux one would of been
(because you wouldn't of offered the service)

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: