From: Ole Kliemann <ole@plastictree.net>
To: Ted Toth <txtoth@gmail.com>
Cc: Richard Haines <richard_c_haines@btinternet.com>, selinux@tycho.nsa.gov
Subject: Re: Information about XSELinux
Date: Tue, 24 Jul 2012 13:05:51 +0200 [thread overview]
Message-ID: <20120724110551.GA2746@telvanni> (raw)
In-Reply-To: <CAFPpqQHU_YkQzX9H9SXhA_hyDv3rpghfRrn_Va2aBDjx+tD7aw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1371 bytes --]
On Mon, Jul 23, 2012 at 09:12:37AM -0500, Ted Toth wrote:
> FWIW we have a custom distro of RHEL 6 running MLS policy with X in
> enforcing however as you might imagine getting all of this working was
> non-trival. Because of schedule/budget/complexity we do not run GNOME
> but rather Openbox, fbpanel and idesk all of which we wrote policy
> for. Many apps (Firefox, OpenOffice) require policy tweeks with many
> of those due to our particular security requirements. We have dozens
> of custom X applications all of which require policy modules. Getting
> things like copy/paste to work under MLS is particularly challenging
> because of lack of visibility into what the X server (XACE) is doing.
I'm running X in enforcing too now with a simple setup. There is
a domain for every job (browser, mail, ...). These domains can't
access each other. The WM has access to all of them. Copy/paste
works like a charm with every domain having its own cutbuffer and
a small script called from the WM to copy the cutbuffer to other
domains.
Of course I had to allow some things in X that I do not fully
understand. But there is definitely no more sending synthetic
input events to foreign windows and no more keylogging.
Do you know of any documentation that lists all things in the X
protocol and their possible security implications?
Ole
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2012-07-24 11:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1342534966.11916.YahooMailClassic@web87705.mail.ir2.yahoo.com>
2012-07-19 14:18 ` Information about XSELinux Ole Kliemann
2012-07-19 17:01 ` Richard Haines
2012-07-23 14:12 ` Ted Toth
2012-07-24 11:05 ` Ole Kliemann [this message]
2012-07-16 16:10 Ole Kliemann
2012-07-16 18:23 ` Russell Coker
2012-07-16 22:18 ` Ole Kliemann
2012-07-19 13:29 ` Stephen Smalley
2012-07-19 14:10 ` Daniel J Walsh
2012-07-19 14:44 ` Ole Kliemann
2012-07-27 4:02 ` Russell Coker
2012-08-07 12:53 ` Ole Kliemann
2012-07-17 17:31 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120724110551.GA2746@telvanni \
--to=ole@plastictree.net \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.