[rsbac] MAC: request MODIFY_SYSTEM_DATA, target NETDEV
Amon Ott
ao at rsbac.org
Thu Jan 15 16:33:21 CET 2009
Am Dunnersdag 15 Januor 2009 schrieb Javier J. Martínez Cabezón:
> why DAZ in a linux desktop?, I thought that DAZ were useful for
> example in mail servers. Do you consider malware a treat in (even) a
> standard linux?.
> I think that DAZ imposes a too high overhead to a desktop system, I
> would not switch it on.
We use it to check files before they get transferred to Windows clients.
> The problem in his setup I think is X-org, xorg has CAP_SYS_RAWIO and
> if rsbac can't control which addresses in /dev/mem can't it reach I
> think that not setup is useful. Have we something like grsecurity that
> only memory video could it be reach?
The standard 2.6 kernel has such restrictions on board:
Kernel Hacking -> Filter Access to /dev/mem
I strongly recommend to turn that on, even if only X can access /dev/mem with
RSBAC. :)
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list