[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Gergely Lónyai alephlg at gmail.com
Thu Jan 15 15:53:02 CET 2009


Hi,

The DAZ is good on a linux desktop. Only use 1-2 directories (samba share...).

Aleph

From: Javier J. Martínez Cabezón <tazok.id0 at gmail.com>
>why DAZ in a linux desktop?, I thought that DAZ were useful for
>example in mail servers. Do you consider malware a treat in (even) a
>standard linux?.
>I think that DAZ imposes a too high overhead to a desktop system, I
>would not switch it on.
>
>The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
>if rsbac can't control which addresses in /dev/mem can't it reach I
>think that not setup is useful. Have we something like grsecurity that
>only memory video could it be reach?
>2009/1/13 kang <kang at rsbac.org>:
>> Gergely Lónyai wrote:
>>> Hi,
>>>
>>> This kernel would have the Mandriva's "official" RSBAC kernel. :-(
>>> I droping a modul from this kernel?
>>>
>>> Aleph
>>>
>>
>> As a generic kernel, I wouldn't recommand the MAC module. It's too
>> complicated. Also having all modules on means more performance penality.
>>
>> Please review:
>> http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/selecting_models
>> to select the modules you need.
>>
>> A solution might be to enable e.g.:
>> AUTH, RC, JAIL, CAP, PAX (if the kernel has pax only!), DAZ (if mandriva
>> provides on access scanners only!), FF, RES, UM
>>
>> Have these policies switchables (meaning, can be enabled/disabled)
>>
>> Then at startup have a script that can select which modules you desire.
>> So casual desktop users only load AUTH, FF, JAIL CAP maybe, or AUTH, RC,
>> JAIL, CAP
>>
>> Make sure only this script can do this at startup, of course. I'd like
>> to stress that this not the best idea if "pure security" is the
>> objective, but it provide easier setup for different users
>> (security/ease trade off :P)
>>
>> Remember that these are just examples, it all depends on your goals :)
>>
>> kang
>> _______________________________________________
>> rsbac mailing list
>> rsbac at rsbac.org
>> http://www.rsbac.org/mailman/listinfo/rsbac
>_______________________________________________
>rsbac mailing list
>rsbac at rsbac.org
>http://www.rsbac.org/mailman/listinfo/rsbac


More information about the rsbac mailing list