Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: dynamic context transitions
From: Chad Hanson <chanson_at_TrustedCS.com>
Date: Tue, 2 Nov 2004 13:49:07 -0500
Karl MacMillan wrote:
You put the trust at the process boundary. This does not preclude you from trying increase the trust in the code. You clearly could reduce the trust within an application. The privilege bracketing approach goes hand in hand with secure programming techniques. An example would be that your program needs to open the kernel memory device. If your application does this action and has the needed information you should close the device. If you have incorrect source and forget to close this device, there are two methods of protection. One approach is the exec-based methodology and exec other programs to perform additional operations, thus reducing the footprint of the trusted code. The second approach would be using privilege bracketing to remove the ability to handle this resource. If you permanently remove your access to this device, even if the file descriptor is still open you will not be able to access this information. Both of these approaches achieve the exact same goal, the implementations are just a bit different.
> I would disagree, running with the maximal set of permissions is exactly what we are trying to prevent by providing fine-grained privileges. This shouldn't provide a false sense of security, from a vulnerability point of view, because the process is capable of using all current privileges and misuse of what it can execute. The minimal use of permission can be used to verify that the application is behaving as intended without using unneeded permissions for an operation. -Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 2 Nov 2004 - 13:49:23 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |