[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV
Javier J. Martínez Cabezón
tazok.id0 at gmail.com
Thu Jan 15 15:28:15 CET 2009
why DAZ in a linux desktop?, I thought that DAZ were useful for
example in mail servers. Do you consider malware a treat in (even) a
standard linux?.
I think that DAZ imposes a too high overhead to a desktop system, I
would not switch it on.
The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
if rsbac can't control which addresses in /dev/mem can't it reach I
think that not setup is useful. Have we something like grsecurity that
only memory video could it be reach?
2009/1/13 kang <kang en rsbac.org>:
> Gergely Lónyai wrote:
>> Hi,
>>
>> This kernel would have the Mandriva's "official" RSBAC kernel. :-(
>> I droping a modul from this kernel?
>>
>> Aleph
>>
>
> As a generic kernel, I wouldn't recommand the MAC module. It's too
> complicated. Also having all modules on means more performance penality.
>
> Please review:
> http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/selecting_models
> to select the modules you need.
>
> A solution might be to enable e.g.:
> AUTH, RC, JAIL, CAP, PAX (if the kernel has pax only!), DAZ (if mandriva
> provides on access scanners only!), FF, RES, UM
>
> Have these policies switchables (meaning, can be enabled/disabled)
>
> Then at startup have a script that can select which modules you desire.
> So casual desktop users only load AUTH, FF, JAIL CAP maybe, or AUTH, RC,
> JAIL, CAP
>
> Make sure only this script can do this at startup, of course. I'd like
> to stress that this not the best idea if "pure security" is the
> objective, but it provide easier setup for different users
> (security/ease trade off :P)
>
> Remember that these are just examples, it all depends on your goals :)
>
> kang
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list