[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux


Selinux is perhaps not there yet, but debian could give it a hand No
third party hand if I may say so.

However, how much of the time is it the software devolpers mistake
rather then SELinux's mistake?

Another different question, how does debian handle fork bomb
protection? Is this kernel related?

>cat /etc/security/limits.conf

@dev hard core 100000
@dev soft nproc 20
@dev hard nproc 35
@dev -    maxlogins 10

If the user is added to the group "dev" then it will prevent atacks
like: perl -e "fork while fork"

however, atacks like: in c: main(){while(1){fork();}}; in bash:  while
: ; do tail /dev/urandom & done ; wait
do seem to work. There is a lack of documentation about this issue on
the debian.org documentation references. Maybe someone could clear
this up. A protection against these things would be nice, just like in
the old days when there was a default setting in the host tcp/ip



(Could you please be so kind and CC me, I'm not subscribed )

2005/9/21, Mike McCarty <mike.mccarty@sbcglobal.net>:
> Arvind Autar wrote:
> > Helllo,
> >
> > I have been using debian for quite some time now, how ever I have
> > watched several distrobutions implentating so many great ideas, and I
> > have been wondering why such a robust distorbution as debian
> > GNU/Linux(*) hasn't done this. One of them is:
> >
> > SELinux
> >
> > If SELinux is also suitable for desktop users for example if we look
> > at the targeted policy (for fedora and RHEL) it
> > shows that it doesn't restrict users sessions. Short conclusion, there
> > is no loss  of functionality, why hasn't debian implented SELinux as
> > default?
> Over in the Fedora lists, quite a number of the defects are related
> to SELinux. I've noticed that enabling SELinux took away quite a bit
> of functionality, not by design, but by defect.
> If it gets added to Debian, I suggest that it be shipped disabled.
> Frankly, unless one is running an Apache server or the like, I see
> no usefulness in it. And even if one runs a server like Apache,
> who is to say that SELinux doesn't add as many exploitable defects
> as holes it plugs, if not more?
> Mike
> --
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!

Reply to: