Re: OBSD's perspective on SELinux

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Brian Candler <B.Candler@...>

To: Rui Miguel Silva Seabra <rms@...>, <misc@...>

Subject: Re: OBSD's perspective on SELinux

Date: Monday, September 24, 2007 - 11:31 am

On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:

quoted text

> On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
> > OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
> > compact OS done by folks you can trust and actually talk to, use OBSD; if
> > you want 'fairly secure Linux' [which has had thousands of hand in it
> > including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***.
> > Simple and easy to implement, even by less senior Admins.
>
> Can you say "root can only run this and that application when su'ed from
> that guy, and may not open any net connection, but open this file and none
> else" in OpenBSD? If so, how can I do it? :)

You solve the problem a different way:

- You don't give the guy root access, but their own userid

- You set file permissions so this userid can read only the file of interest

- You use pf rules so that this user ID cannot send network packets

- If this guy needs root for something (e.g. to bind to port 80), then you
write a three-line setuid root wrapper which binds to port 80 for them.
If you have a lot of this to do, then consider an 'open server' which
returns the open file descriptor.

Regards,

Brian.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 11:34 am)

Re: OBSD's perspective on SELinux, Damien Miller, (Mon Sep 24, 11:09 pm)

Re: OBSD's perspective on SELinux, Chris Kuethe, (Mon Sep 24, 10:52 am)

Re: OBSD's perspective on SELinux, Marco Peereboom, (Sat Sep 22, 11:27 pm)

Re: OBSD's perspective on SELinux, L. V. Lammert, (Sat Sep 22, 7:47 pm)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Sun Sep 23, 5:54 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 1:29 pm)

Re: OBSD's perspective on SELinux, Jacob Yocom-Piatt, (Mon Sep 24, 2:17 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 3:14 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Mon Sep 24, 11:31 am)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Mon Sep 24, 11:59 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 6:06 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 8:34 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Joachim Schipper, (Sun Sep 23, 6:35 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 11:18 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Lars Hansson, (Tue Sep 25, 1:57 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Darren Spruell, (Tue Sep 25, 2:32 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Gilles Chehade, (Mon Sep 24, 5:40 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 12:02 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Antti Harri, (Mon Sep 24, 1:32 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Rui Miguel Silva Seabra, (Sun Sep 23, 6:38 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Sat Sep 22, 2:50 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 4:21 pm)

Re: OBSD's perspective on SELinux, , (Sat Sep 22, 7:20 pm)

Re: OBSD's perspective on SELinux, Stuart Henderson, (Sat Sep 22, 4:00 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 12:29 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 12:45 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 4:39 pm)

Re: OBSD's perspective on SELinux, Darrin Chandler, (Sat Sep 22, 12:00 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 12:52 pm)

Re: OBSD's perspective on SELinux, Jason Dixon, (Sat Sep 22, 12:20 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 1:21 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 1:38 pm)

Re: OBSD's perspective on SELinux, David Gwynne, (Mon Sep 24, 10:08 am)

Re: OBSD's perspective on SELinux, Jason Dixon, (Mon Sep 24, 10:25 am)

Re: OBSD's perspective on SELinux, , (Mon Sep 24, 2:28 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Sun Sep 23, 3:25 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 2:00 pm)

Re: OBSD's perspective on SELinux, Jeffrey 'jf' Lim, (Sat Sep 22, 12:26 pm)


linux-kernel:
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Andi Kleen	[PATCH] [3/58] x86_64: asm/ptrace.h needs linux/compiler.h
Ingo Molnar	Re: containers (was Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 002/196] Chinese: rephrase English introduction in HOWTO
git:

linux-netdev:
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 0/37] dccp: Feature negotiation - last call for comments
David Miller	[GIT]: Networking
Linus Torvalds	Re: iptables very slow after commit 784544739a25c30637397ace5489eeb6e15d7d49
openbsd-misc:

Re: OBSD's perspective on SELinux

Online users