Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: booting in enforcing mode
From: Russell Coker <russell_at_coker.com.au>
Date: Mon, 12 Apr 2004 16:37:57 +1000
Reading a file of type etc_t is not going to do any great harm. Almost everything has read access to such files (think of all the things that break if /etc/passwd is not readable). If I made it a tunable for whether /proc/mounts and /etc/mtab are accessible would that satisfy your needs? I really want to keep everyone on the same policy tree as much as possible. That will allow you to upgrade to newer releases of SE Linux with less effort and also allow me to incorporate any improvements you make without any difficulty.
> im using busybox for most of the network stuff and logging. in You might want to read my previous messages on this topic to this list, and the paper I presented at OLS 2003 on running SE Linux on an iPaQ.
> i was having difficulty with the busybox My conclusion was that doing such things was best. I think that having syslogd and klogd running in different domains provides minimal benefit and for a small machine you might want to combine them (the policy supports this if you remove klogd.te).
> One area im having a lot irritation with is the hotplug Shell scripts always require access to more things than they should. One thing you might investigate is using a smaller shell than bash. Shells with less features request less access to the system... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 12 Apr 2004 - 02:39:30 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |