Re: [RFC][PATCH 1/2] Further SELinux restrictions on mprotect

El mié, 27-04-2005 a las 10:01 -0700, Ulrich Drepper escribió:
> Stephen Smalley wrote:
> > What do others think about these additional permission checks,
> > particularly in terms of being able to practically apply them? Has
> > anyone else experimented with them?
>
> I certainly like all the lockdown in this area we can get. The other
> approaches to achieve this (i.e., pax) are simply unsuitable for a
> general OS release. The fact that some programs need relaxed policies
> now doesn't mean this cannot be changed.

I agree, it's a matter of doing it well, and doing it simple, at least from the users side.
That would ensure a future and wide deployment in an huge variety of distributions (ie. Debian, Ubuntu...), and more important, in the "Desktop world", generally.

> For instance, the X issue you saw is iirc changed upstream. Maybe
> upstream == R7, but I think the people are receptive.

I was looking around it, and seems that is patched right now. I think it was also on RH's bugzilla, submitted by Ingo, but I dunno certainly.

> As for the JVM, I have contacts at Sun and I'm sure they have an equal
> interest in making the JVM secure.

Good to know, personally I don't care much on Java but we must provide support for the most possible wide range of users, and that would help a lot.

> valgrind is a special tool, I'm not worried.

:)

Cheers and thanks for your comments,

-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: This is a digitally signed message part