Please excuse the delayed response... better ever than never... Thanks for all comments so far, while LSM/SELinux has been losing points with me for a while, it is now on the upswing again... A couple of comments or questions follow: also sprach Henrique de Moraes Holschuh <hmh@debian.org> [2003.12.18.2321 +0100]: > Now, what I would like to have is a kernel that loads in all > executable pages it might need, and locks itself out from ever > loading or writing over any other executable pages [that would run > in kernel context] again. This needs hardware support, of course, > which I don't know if any of the commonly used architectures > have... It would be nice to have a TPM do that, huh? also sprach Russell Coker <russell@coker.com.au> [2003.12.19.0229 +0100]: > In terms of LSM protection against this, if you use SE Linux then > all aspects of file access and module loading are controlled by > the policy. I am going to write a policy that implements > something similar to BSD secure levels so that you can put > a server into a mode where all kmem and module load access is > disabled. That should be all you need. Is this current work in progress? Do you have an ETA? also sprach Henrique de Moraes Holschuh <hmh@debian.org> [2003.12.19.1018 +0100]: > I think there is a LSM "BSD secure levels" module around (that has > nothing to do with SE Linux), which should be much easier an > install for those who want to play with BSD secure levels in > Linux. The question is: does it mix with SE Linux? I always wondered about LSM... they are stacking modules, right? So this would have to come before or after SELinux, at which point one can take control from the other, no? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
pgpxW8Xp8q2rm.pgp
Description: PGP signature