[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mandatory Access Control



Do you have documentation of your labours available?


Sincerely, Joh


On Monday 30 November 2015 18:20:00 Elmar Stellnberger wrote:

> Dear Henriette,


> Yes, I am using qemu-kvm based virtualization. According to my

> experience that was sufficient to protect the host from the guest. The

> most vulnerable part will be the graphics output as I have already said.

> Nonetheless I did also receive the many messages about vulnerabilities

> in the Wifi stack. Gonna have to tell that I do only have practical

> experience with qemu-kvm/ethernet. You can use a mobile wifi router

> through which you plug in your ethernet port (or wait for and trust in

> the fixes). Separating the Wifi driver in its own Xen-domain would of

> course be another solution as long as all graphcis output still becomes

> filtered by emulating a virtual graphics card/device.


> Best Elmar


> On 29.11.2015 22:31, Henriette wrote:

> > Hey Elmar,

> >

> > I was looking into using virtualization for security purposes too. However

> > I refrained from using a full grown vbox installation so far.

> >

> > I saw that qemu provides a user-mode virtualization. I could imagine that

> > this brings already some security if you are able to specify access only

> > to certain directories etc. However I couldn't find any info with some

> > quick google searches on how to use qemu to improve systems security by

> > virt. Are you using this mode to get some security or is there no way

> > around a full virtualization to improve security?

> >

> > Best Henriette

> >

> > Am Sun, 29 Nov 2015 21:26:41 +0100

> >

> > schrieb Elmar Stellnberger <estellnb@gmail.com>:

> >> SELinux is more elaborate and more complicated than Apparmor; tomoyo

> >> relatively new. I would personally regard none of those MAC systems as

> >> ultimate remedy to hard security problems. In 2011 I had a

> >> RedHat/SELinux system in its default configuration and it was

> >> compromised within minutes by simply viewing the page of my bank with a

> >> web browser (read the whole at:

> >> http://www.elstel.org/Censorship.html.en). Note that a single faulty

> >> system call in the Linux kernel may be used to obtain root rights

> >> leaving all additional security gains that MAC systems should deliver

> >> behind. Please note also that a system can not be secured without

> >> securing your X-server (formerly one could even paste text into any

> >> other window like a root console without being in need of root rights).

> >> Finally the security profiles of MAC systems are very complicated so

> >> that they would hardly deliver the security as possible in theory. If

> >> you wanna ask me for my security solution it is qemu based and puts the

> >> most vulnerable system components like browsers and email programs into

> >> a virtual machine namely qemu which is maintained by the Open Source

> >> commnunity.

> >>

> >> Regards,

> >> Elmar

> >>

> >> On 29.11.2015 18:29, c4p0 wrote:

> >>> I read the fucking manuals but don't have clear what is the better

> >>> option of "Mandatory Access Control" for debian jessie.

> >>> (AppArmor, SElinux, tomoyo, etc ..)

> >>>

> >>> someone can give me your opinion about it?

> >>> thanks in advance


Reply to: