Re: BSD Secure levels for linux

[Diyab <diyab@diyab.net>]

Russell Coker wrote:

> On Thu, 27 Nov 2003 11:29, Diyab <diyab@diyab.net> wrote:
> 
>>Has anyone else run across the kernel patch that implements something
>>similar to the BSD secure levels?  Has anyone tried to use this with
>>selinux?  I'm also curious what the general thought of the idea is.
>>Good idea? Bad idea?  What do you think?
> 
> 
> The concept of secure levels is to have an option to put the system into a 
> mode where module loading and various other things are denied.
> 
> You could of course have a SE Linux configuration where you have multiple 
> policydb binaries, the one that loads on boot would have the current 
> functionality.  Other policydb's would have limited functionality (EG prevent 
> insmod_t from doing anything other than sending sigchld to init_t and 
> preventing load_policy).  Then loading a new policy would give a similar 
> result to changing a BSD secure level.

I never thought about something like that.  On the plus side not only 
would you have more control over what your specific "levels" will do but 
you can easily and securely switch between levels.  The patch I 
mentioned does not have that functionality.

> 
> If someone else wants to make a start on this then I would be interested in 
> merging patches into my policy tree as I think that the functionality is 
> useful.
> 

I'm going to try this when I get a chance. I do not have time to do it 
right away though.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.