Re: OBSD's perspective on SELinux

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Brian Candler <B.Candler@...>

To: Rui Miguel Silva Seabra <rms@...>, <misc@...>

Subject: Re: OBSD's perspective on SELinux

Date: Monday, September 24, 2007 - 11:31 am

On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:

quoted text

> On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
> > OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
> > compact OS done by folks you can trust and actually talk to, use OBSD; if
> > you want 'fairly secure Linux' [which has had thousands of hand in it
> > including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***.
> > Simple and easy to implement, even by less senior Admins.
>
> Can you say "root can only run this and that application when su'ed from
> that guy, and may not open any net connection, but open this file and none
> else" in OpenBSD? If so, how can I do it? :)

You solve the problem a different way:

- You don't give the guy root access, but their own userid

- You set file permissions so this userid can read only the file of interest

- You use pf rules so that this user ID cannot send network packets

- If this guy needs root for something (e.g. to bind to port 80), then you
write a three-line setuid root wrapper which binds to port 80 for them.
If you have a lot of this to do, then consider an 'open server' which
returns the open file descriptor.

Regards,

Brian.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 11:34 am)

Re: OBSD's perspective on SELinux, Damien Miller, (Mon Sep 24, 11:09 pm)

Re: OBSD's perspective on SELinux, Chris Kuethe, (Mon Sep 24, 10:52 am)

Re: OBSD's perspective on SELinux, Marco Peereboom, (Sat Sep 22, 11:27 pm)

Re: OBSD's perspective on SELinux, L. V. Lammert, (Sat Sep 22, 7:47 pm)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Sun Sep 23, 5:54 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 1:29 pm)

Re: OBSD's perspective on SELinux, Jacob Yocom-Piatt, (Mon Sep 24, 2:17 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 3:14 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Mon Sep 24, 11:31 am)

Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Mon Sep 24, 11:59 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 6:06 am)

Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 8:34 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Joachim Schipper, (Sun Sep 23, 6:35 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 11:18 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Lars Hansson, (Tue Sep 25, 1:57 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Darren Spruell, (Tue Sep 25, 2:32 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Gilles Chehade, (Mon Sep 24, 5:40 am)

Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 12:02 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Antti Harri, (Mon Sep 24, 1:32 pm)

Re: digitally signed distribution (was: OBSD's perspective o..., Rui Miguel Silva Seabra, (Sun Sep 23, 6:38 pm)

Re: OBSD's perspective on SELinux, Ted Unangst, (Sat Sep 22, 2:50 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 4:21 pm)

Re: OBSD's perspective on SELinux, , (Sat Sep 22, 7:20 pm)

Re: OBSD's perspective on SELinux, Stuart Henderson, (Sat Sep 22, 4:00 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 12:29 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 12:45 pm)

Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 4:39 pm)

Re: OBSD's perspective on SELinux, Darrin Chandler, (Sat Sep 22, 12:00 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 12:52 pm)

Re: OBSD's perspective on SELinux, Jason Dixon, (Sat Sep 22, 12:20 pm)

Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 1:21 pm)

Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 1:38 pm)

Re: OBSD's perspective on SELinux, David Gwynne, (Mon Sep 24, 10:08 am)

Re: OBSD's perspective on SELinux, Jason Dixon, (Mon Sep 24, 10:25 am)

Re: OBSD's perspective on SELinux, , (Mon Sep 24, 2:28 pm)

Re: OBSD's perspective on SELinux, Brian Candler, (Sun Sep 23, 3:25 pm)

Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 2:00 pm)

Re: OBSD's perspective on SELinux, Jeffrey 'jf' Lim, (Sat Sep 22, 12:26 pm)


linux-kernel:
Stephen Smalley	Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Jan Engelhardt	intel iommu (Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
git:

linux-activists:
David Fenyes	sigsetmask()? (LINUX)
Stephen Tweedie	Unmounting root (no kidding!) [was: Some Linux problems---solved]
Les Andrzejewski	X386/WD90C31/SUMSUNG SYNC MASTER 4
Doug Evans	Re: Stabilizing Linux
linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Herbert Xu	Re: [PATCH] myr10ge: again fix lro_gen_skb() alignment

Re: OBSD's perspective on SELinux

Online users