From: Tom <tom@lemuria.org>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Daniel J Walsh <dwalsh@redhat.com>, SELinux@tycho.nsa.gov
Subject: Re: Default Policy question?
Date: Mon, 2 Jun 2003 23:03:14 +0200 [thread overview]
Message-ID: <20030602230314.C3637@lemuria.org> (raw)
In-Reply-To: <1054574512.1053.178.camel@moss-huskers.epoch.ncsc.mil>; from sds@epoch.ncsc.mil on Mon, Jun 02, 2003 at 01:21:53PM -0400
On Mon, Jun 02, 2003 at 01:21:53PM -0400, Stephen Smalley wrote:
> security administrator from the system administrator is difficult unless
> you significantly prune what a typical system administrator can do;
> otherwise, the system administrator can subvert the software,
> configuration or environment of the security administrator and
> effectively take control of it.
But if the secadm_r controls the policy, he should have enough power at
his hands to prevent subversion. Things he would have to protect:
* his home directory (environment)
* policy and policy tools
* kernel and kernel modules
Other than that, all other tools are limited by the policy, aren't
they? The sysadm_r can replace ls with a trojaned binary, but he can't
make it do anything that the normal ls isn't allowed to do.
Please tell me if I'm wrong - I'm seing if it's possible to define a
set of "core tools", defined essentially as "access to any of these means
game over". I'm not sure if I can invert the process and say that _no_
access to any of them means system integrity still valid, but it
appears so.
--
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-06-02 21:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-02 16:04 Default Policy question? Daniel J Walsh
2003-06-02 17:21 ` Stephen Smalley
2003-06-02 21:03 ` Tom [this message]
2003-06-02 23:51 ` Russell Coker
2003-06-03 6:30 ` Tom
2003-06-03 13:31 ` Russell Coker
2003-06-03 12:20 ` Stephen Smalley
2003-06-03 17:20 ` Tom
2003-06-02 18:11 ` Tom
2003-06-02 20:22 ` Frank Mayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030602230314.C3637@lemuria.org \
--to=tom@lemuria.org \
--cc=SELinux@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.