Re: SElinux protection - Christopher Pardy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christopher Pardy <cpardy@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: Stefano Carucci <stecarucci@hotmail.com>, selinux@tycho.nsa.gov
Subject: Re: SElinux protection
Date: Fri, 14 Aug 2009 11:50:44 -0400	[thread overview]
Message-ID: <4A8587D4.2040208@redhat.com> (raw)
In-Reply-To: <alpine.LRH.2.00.0908142229560.18040@tundra.namei.org>

>> 2. I read about the possibility of keeping processes from forking. 
>> Wouldn't you consider this as a protection from DoS attacks?
> 
> That could be effective in this case (as would resource limits), but 
> SELinux is not generally designed to counteract DoS attacks.

SELinux has the theoretical (has anyone done this yet) ability to take away "fork" from an entire process context, ie. killing all your webservers. This  isn't really protection so much as something you can do in reaction to an attack. Resource limits on the other hand actually provide a protection to this. Then again you can also just use kill at that point.

In response to your first question of what sort of attacks are inhibited the simple answer is that SELinux is a way of enforcing the intentions of application designers. In that sense SELinux doesn't prevent any application from being exploited it simply prevents exploited applications from doing anything they can't do anyway. The current fedora default policy targets servers as there a major source of exploits and usually behave in fairly standard ways, at least compared to user applications.

Chris Pardy

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2009-08-14 15:51 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-14 10:38 SElinux protection Stefano Carucci
2009-08-14 11:28 ` James Morris
2009-08-14 11:39   ` Stefano Carucci
2009-08-14 12:40     ` James Morris
2009-08-14 15:50       ` Christopher Pardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A8587D4.2040208@redhat.com \
    --to=cpardy@redhat.com \
    --cc=jmorris@namei.org \
    --cc=selinux@tycho.nsa.gov \
    --cc=stecarucci@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.