From: Joshua Brindle <method@manicmethod.com>
To: russell@coker.com.au
Cc: cinthya aranguren <cinthya.aranguren@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: Removing DAC.
Date: Mon, 24 Mar 2008 08:12:50 -0400 [thread overview]
Message-ID: <47E79AC2.8040606@manicmethod.com> (raw)
In-Reply-To: <200803240934.16380.russell@coker.com.au>
Russell Coker wrote:
> On Monday 24 March 2008 02:54, "cinthya aranguren"
> <cinthya.aranguren@gmail.com> wrote:
>
>> Is there any way to avoid o remove DAC controls ? I'd like to have only one
>> security scheme in my system. I mean a pure SElinux system. not DAC + MAC.
>> only MAC.
>>
>
> Back in about 2003 as an experiment I changed the ownership of all files on a
> SE Linux strict system to root and changed the permission to 777. It didn't
> work very well. One problem was that many programs rely on the Unix
>
Right, that wouldn't work well because it would deteriorate, programs
set umasks when making files, etc. Just ignoring the bits would probably
work alot better :)
> permissions to identify the difference between a configuration file and a
> shell script. In directories such as /etc there is not sufficiently
> fine-grained SE Linux labelling to replace this use of Unix permissions.
>
>
Why does that matter? /etc is read only for the vast majority of
processes and anything with passwords, etc in them should have their own
labels.
> It's possible that in the last 5 years things have changed significantly, but
> my last experiments showed enough obstacles to make me not want to bother
> going further with it.
>
>
we certainly have alot more types today, I'm not sure if that was the
real obstacle though.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-03-24 12:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-23 15:54 Removing DAC cinthya aranguren
2008-03-23 17:25 ` Casey Schaufler
2008-03-23 17:40 ` Casey Schaufler
2008-03-24 17:29 ` cinthya aranguren
2008-03-24 17:45 ` Stephen Smalley
2008-03-24 18:13 ` Casey Schaufler
2008-03-24 17:20 ` cinthya aranguren
2008-03-24 18:01 ` Casey Schaufler
2008-03-23 22:34 ` Russell Coker
2008-03-24 12:12 ` Joshua Brindle [this message]
2008-03-24 12:48 ` Russell Coker
2008-03-24 17:53 ` cinthya aranguren
2008-03-24 12:20 ` Stephen Smalley
2008-03-25 4:41 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47E79AC2.8040606@manicmethod.com \
--to=method@manicmethod.com \
--cc=cinthya.aranguren@gmail.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.