From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FYpEc-00039d-AI for garchives@archives.gentoo.org; Wed, 26 Apr 2006 18:59:34 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k3QIsZB3011134; Wed, 26 Apr 2006 18:54:35 GMT Received: from gotham.columbia.tresys.com (stanford.columbia.tresys.com [209.60.7.66]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k3QIsIjH012618; Wed, 26 Apr 2006 18:54:19 GMT Received: from [127.0.0.1] (synapse [10.1.13.144] (may be forged)) by gotham.columbia.tresys.com (8.12.11.20060308/8.12.8) with ESMTP id k3QIsCca018336; Wed, 26 Apr 2006 14:54:13 -0400 Message-ID: <444FC1D7.2010102@gentoo.org> Date: Wed, 26 Apr 2006 14:54:15 -0400 From: Joshua Brindle User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: Niels Provos CC: gentoo-hardened@lists.gentoo.org, gentoo-security@lists.gentoo.org Subject: Re: [gentoo-hardened] Systrace resurrection References: <20060426134440.GJ29037@fuse.inversepath.com> <444FA171.5024.55CFB9CB@pageexec.freemail.hu> <444F8A89.7090106@gentoo.org> <20060426151925.GQ29037@fuse.inversepath.com> <444FA6D7.6070602@gentoo.org> <850f7cbe0604261123l4b64000ag320a26cbe7dbb73e@mail.gmail.com> In-Reply-To: <850f7cbe0604261123l4b64000ag320a26cbe7dbb73e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0617-1, 04/25/2006), Outbound message X-Antivirus-Status: Clean X-Archives-Salt: 64ce608b-c8ef-4c5c-9ab9-4972224783ee X-Archives-Hash: dab5c2a35c23991f63b7c679153f04e7 Niels Provos wrote: > On 4/26/06, Joshua Brindle wrote: > >> Well, systrace is path based so you can apply all those arguments >> directly. I don't understand what you mean by systrace is not MAC, what >> is it? It has a policy, it enforces access control. I guess choosing to >> > > Let's take this opportunity to avoid misunderstandings. I don't know > very much about mandatory access control nor SELinux in particular. > However, I certainly support the statement that Systrace is not a MAC > system nor does it want to be one. It would be great if you could > help improve my understanding of SELinux by explaining the SELinux > policy that governs, for example, your IRC client. > That is fair. If noone involved considers systrace MAC then I'm less inclined to care about its availability, I'm still very concerned about privilege escalation and user interaction. I will not concede that this sort of activity (particularly the privilege escalation) is very dangerous. SELinux is mandatory so the policy would already be loaded into the kernel. The irc client executable would be labeled (something like irc_exec_t). The user shell process would have a label (user_t) and user_t executing irc_exec_t would cause a transition into user_irc_t. The user_irc_t would then only have access to the resources it needs, network, its own files in your home and tmp. Derived domains like user_irc_t are used to seperate user apps from one another (without the assistance of DAC). There are tons of resources about how selinux works policy-wise though. What in particular do you want to know? -- gentoo-hardened@gentoo.org mailing list