SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: LSM caps issue, selinux affected? This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: Stephen Smalley <sds_at_epoch.ncsc.mil> Date: Mon, 12 Apr 2004 15:32:53 -0400 On Mon, 2004-04-12 at 15:09, Joshua Brindle wrote: > http://marc.theaimsgroup.com/?l=linux-kernel&m=108153697611991&w=2 > > Since Smalley or others haven't responded on that thread yet and I'm no > longer on the LSM list (the spam...) I'd like to get the opinion here, > how effective is this against selinux and is it serious enough that we > should issue security advisories? Pebenito says we should be unaffected > since we block ptrace by default, is that the common configuration? It has to do with the separation of the capabilities logic from the core kernel, not anything SELinux-related, although it should certainly be fixed. For SELinux, there are two scenarios: If there was no domain transition on the program execution, then the calling domain would need to be allowed to use the capabilities by the SELinux policy. Otherwise, it can't use them. If there was a domain transition on the program execution, then the program domain would need to be allowed to use the capabilities by the SELinux policy, and the calling domain would be prevented from interfering with the program domain by the policy, and the domain transition would trigger inheritance controls and enable glibc secure mode. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 12 Apr 2004 - 15:33:09 EDT This message: [ Message body ] Next message: todd glassey: "Re: Logo Artwork for SELinux?" Previous message: Joshua Brindle: "LSM caps issue, selinux affected?" In reply to: Joshua Brindle: "LSM caps issue, selinux affected?" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom