[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV

Javier J. Martínez Cabezón tazok.id0 at gmail.com
Thu Jan 15 16:04:34 CET 2009 

but to check windows files...;)

2009/1/15 Gergely Lónyai <alephlg en gmail.com>:
> Hi,
>
> The DAZ is good on a linux desktop. Only use 1-2 directories (samba share...).
>
> Aleph
>
> From: Javier J. Martínez Cabezón <tazok.id0 en gmail.com>
>>why DAZ in a linux desktop?, I thought that DAZ were useful for
>>example in mail servers. Do you consider malware a treat in (even) a
>>standard linux?.
>>I think that DAZ imposes a too high overhead to a desktop system, I
>>would not switch it on.
>>
>>The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
>>if rsbac can't control which addresses in /dev/mem can't it reach I
>>think that not setup is useful. Have we something like grsecurity that
>>only memory video could it be reach?
>>2009/1/13 kang <kang en rsbac.org>:
>>> Gergely Lónyai wrote:
>>>> Hi,
>>>>
>>>> This kernel would have the Mandriva's "official" RSBAC kernel. :-(
>>>> I droping a modul from this kernel?
>>>>
>>>> Aleph
>>>>
>>>
>>> As a generic kernel, I wouldn't recommand the MAC module. It's too
>>> complicated. Also having all modules on means more performance penality.
>>>
>>> Please review:
>>> http://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/selecting_models
>>> to select the modules you need.
>>>
>>> A solution might be to enable e.g.:
>>> AUTH, RC, JAIL, CAP, PAX (if the kernel has pax only!), DAZ (if mandriva
>>> provides on access scanners only!), FF, RES, UM
>>>
>>> Have these policies switchables (meaning, can be enabled/disabled)
>>>
>>> Then at startup have a script that can select which modules you desire.
>>> So casual desktop users only load AUTH, FF, JAIL CAP maybe, or AUTH, RC,
>>> JAIL, CAP
>>>
>>> Make sure only this script can do this at startup, of course. I'd like
>>> to stress that this not the best idea if "pure security" is the
>>> objective, but it provide easier setup for different users
>>> (security/ease trade off :P)
>>>
>>> Remember that these are just examples, it all depends on your goals :)
>>>
>>> kang
>>> _______________________________________________
>>> rsbac mailing list
>>> rsbac en rsbac.org
>>> http://www.rsbac.org/mailman/listinfo/rsbac
>>_______________________________________________
>>rsbac mailing list
>>rsbac en rsbac.org
>>http://www.rsbac.org/mailman/listinfo/rsbac
> _______________________________________________
> rsbac mailing list
> rsbac en rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list