From: Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Internet security.
Date: Mon, 9 Sep 2013 18:04:14 +0200 [thread overview]
Message-ID: <20130909160414.GB12070@bifrost.fritz.box> (raw)
In-Reply-To: <522DE997.9000706@thegeezer.net>
[-- Attachment #1: Type: text/plain, Size: 1832 bytes --]
On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote:
> >> i read in slashdot that there is a question mark over SELinux because it came
> >> from the NSA [4] but this is nonsense, as it is a means of securing processes
> >> not network connections. i find it difficult to believe that a backdoor in a
> >> locked cupboard in your house can somehow give access through the front door.
> > This point you get wrong. SELinux implement the LSM API (in fact the LSM API
> > was tailored to SELinux needs). It has hooks in nearly everything
> > (file/directory access, process access and also sockets). One of the biggest
> > concerns at the time of creation of the LSM API was rootkits hooking that
> > functions. It's definitively a thread. I'm not saying that SELinux contains
> > a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
> > because that would enable me to use it even if other LSMs are used). If you
> > google for "underhanded C contest" you'll see that it's possible to hide
> > malicious behaviour in plain sight. And if the kernel is compromised all other
> > defenses mean nothing. (As I said, I don't want to spread fearbut that is
> > something to consider imho).
> Interesting, I didn't realise LSM provisioned hooks for SELinux -
> thought it it was more modular (and less 'shoehorned') than that.
> I need to go read about that some more now
You can start here:
http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf
for a general overview (page 64ff has a list of the hooks).
Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf and
http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may be
of interest (though both are quite old).
WKR
Hinnerk
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2013-09-09 16:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-09 1:33 [gentoo-user] Internet security Dale
2013-09-09 2:05 ` Michael Orlitzky
2013-09-09 5:28 ` Mick
2013-09-09 13:42 ` Michael Orlitzky
2013-09-09 18:07 ` Mick
2013-09-09 19:24 ` Michael Orlitzky
2013-09-10 5:33 ` Mick
2013-09-09 6:50 ` Adam Carter
2013-09-09 13:48 ` Michael Orlitzky
2013-09-09 7:19 ` Pavel Volkov
2013-09-09 14:00 ` Michael Orlitzky
2013-09-09 17:36 ` Pavel Volkov
2013-09-09 17:51 ` Michael Orlitzky
2013-09-09 5:37 ` Mick
2013-09-09 9:36 ` thegeezer
2013-09-09 11:08 ` Bruce Hill
2013-09-09 11:22 ` thegeezer
2013-09-09 14:28 ` Hinnerk van Bruinehsen
2013-09-09 15:30 ` thegeezer
2013-09-09 16:04 ` Hinnerk van Bruinehsen [this message]
2013-09-09 16:41 ` thegeezer
2013-09-09 15:30 ` Dale
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130909160414.GB12070@bifrost.fritz.box \
--to=h.v.bruinehsen@fu-berlin.de \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox