From: Murray McAllister <mmcallis@redhat.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: user guide draft: "Targeted Policy" review
Date: Sat, 06 Sep 2008 14:40:58 +1000 [thread overview]
Message-ID: <48C209DA.4040901@redhat.com> (raw)
In-Reply-To: <48C140CB.7090108@redhat.com>
Daniel J Walsh wrote:
> Murray McAllister wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-09-03 at 17:41 +1000, Murray McAllister wrote:
>> When a confined subject is compromised by an attacker, depending on
>> SELinux policy configuration, the attacker's access is to resources and
>> the possible damage they can do is limited.
>>
> If a confined ...
Changed.
>>>> Unconfined Subjects
>>>>
>>>> Unconfined subjects run in the unconfined_t domain type. This means
>>>> that SELinux policy rules do not apply, and only DAC permissions are
>>>> used.
> Only unconfined login users run as unconfined_t, init programs run in
> the unconfined domain initrc_t, unconfined inetd processes run in the
> inetd_child_t domain. Unconfined kernel processes run in kernel_t.
> There are about 20 unconfined domains in Fedora 10.
How about:
Unconfined subjects run in unconfined domains, for example, init
programs run in the unconfined initrc_t domain, unconfined kernel
subjects run in the kernel_t domain, and unconfined Linux users run in
the unconfined_t domain. For unconfined subjects, SELinux policy rules
are applied, but policy rules exist that allow subjects running in
unconfined domains almost all access. Subjects running in unconfined
domains almost always fall back to using DAC rules exclusively. If an
unconfined subject is compromised, SELinux does not prevent the attacker
from gaining access to system resources and data, but of course, DAC
rules are still used. SELinux is a security enhancement above DAC rules
- it does not replace them.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-09-06 4:41 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-03 7:41 user guide draft: "Targeted Policy" review Murray McAllister
2008-09-03 9:24 ` Dominick Grift
2008-09-03 11:03 ` James Morris
2008-09-05 5:50 ` Murray McAllister
2008-09-03 13:19 ` Stephen Smalley
2008-09-05 6:04 ` Murray McAllister
2008-09-05 11:28 ` Stephen Smalley
2008-09-05 14:23 ` Daniel J Walsh
2008-09-06 4:40 ` Murray McAllister [this message]
2008-09-08 12:52 ` Daniel J Walsh
2008-09-03 13:28 ` Daniel J Walsh
2008-09-05 6:42 ` Murray McAllister
2008-09-05 13:49 ` Daniel J Walsh
2008-09-05 14:23 ` Dominick Grift
2008-09-06 4:34 ` Murray McAllister
2008-09-08 12:50 ` Daniel J Walsh
[not found] ` <1220616678.17197.302.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <48C1396A.4050105@redhat.com>
2008-09-06 4:29 ` Murray McAllister
-- strict thread matches above, loose matches on Subject: below --
2008-09-03 16:00 Clarkson, Mike R (US SSA)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C209DA.4040901@redhat.com \
--to=mmcallis@redhat.com \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.