Comments on: What’s new in SELinux for Red Hat Enterprise Linux 5?

by: Cafaro’s Ramblings » Nice Article on SELinux in RHEL5 (and some interesting Comments)

Sun, 29 Jun 2008 23:20:25 +0000

[…] http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/ […]

by: Apple sandboxes further use at Useful Security

Tue, 24 Jun 2008 02:19:28 +0000

[…] It looks like Apple will be using sandboxes for a bit more than the current couple processes in the future (perhaps Snow Leopard). Looking at the CUPS code (CUPS was purchased by Apple in February of last year), they’ve added support for sandboxes to their development tree, which will theoretically make it into CUPS 1.4. As OS X exploits start to become available in the wild, I hope Snow Leopard confines many more applications (maybe Safari…). It’s nice to see so many major operating systems adding advanced access control features. […]

by: Dan Walsh

Tue, 19 Feb 2008 20:41:43 +0000

Read

danwalsh.livejournal.com from the beginning.

by: Neil

Tue, 19 Feb 2008 20:24:53 +0000

SELinux for CentOS 5 is extremely difficult to understand. Is there a “101″ tutorial that explains the basic concepts in plain English?

by: Jeremy

Tue, 28 Aug 2007 22:39:38 +0000

I work for a large bank and was until now convinced that SeLinux was the way to go, reading all the responses to this article has definitely changed my mind, I am now back to square one in my research for a solution for our servers.

by: Rod

Wed, 18 Jul 2007 16:49:47 +0000

There is a typo in your command:

grep httpd_t /var/log/audit/audit.log | audit2allow -m myhttpd; semodule -i myhttpd.pp

Should be (with a capital -M):

grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd; semodule -i myhttpd.pp

by: Shakeel

Fri, 08 Jun 2007 19:12:06 +0000

What kind of Modems for internet connectivity are supported?Are the Win Modems work with this release of Linux?

by: spender

Fri, 08 Jun 2007 00:36:55 +0000

Bibo: You’re right to an extent. Any kind of authentication information that can be grabbed from within apache’s address space or contained in any file apache can access can be used against mysql. In cases like website forums (like PHPbb) for example, apache needs access to the site’s config file. Contained in the config file is the cleartext password for administering the forum database, so a compromise of apache can be used to completely control the contents of that forum database. As you’ve already guessed, the separation between services isn’t as clear as RedHat’s diagrams would like you to believe.

Wayne: I’m glad you appreciate the efforts of people who intentionally distort facts in an effort to improve their company’s image, not your security, as long as it appears to be done in a “rational, civil” manner. Did you have anything technical (or rational, unlike your ad-hominem attacks) to contribute to the discussion? Were any of my many points wrong at all? You’re forgetting history and where all these cheap security ripoffs are coming from. Can you take a guess what prompted RedHat to propose a null pointer dereference protection (while I’m here, let me throw a md5sum out: 3812e371986ad24ace67bab90fd07ca4) for Linux?

For commercial entities, money is the bottom line. Don’t be fooled into thinking true security is of great importance. Merely the illusion of security, obfuscated through misleading graphs and half-baked solutions aimed at unintelligent hackers, is good enough — so long as everyone shuts up about the details and remains “civil,” so long as the majority of the security community isn’t laughing at them. Attempting to marginalize security experts who point out the devil in the details only helps in further enabling RedHat to continue their disinformation campaign. It’s these people you don’t like, these people that tarnish the perfect image you have of RedHat that are the ones improving your security. Here’s some reading for you (not that I think you’ll understand any of it):
http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
http://fist.immunitysec.com/pipermail/dailydave/2006-November/003742.html

by: Wayne Wolfe

Wed, 06 Jun 2007 16:32:56 +0000

Thanks for the article on SeLinux which evolved into a “sales pitch” about PaX. It is unfortunate that anyone who attempts to provide information to the community at large must risk be subjected to uncivilized rants. Both Spender and the PaX Team apparently have ego issues which prevent them from participating in rational, civil discourse. I, for one, appreciate your efforts.

Regards,
Wayne

by: Bibo

Wed, 06 Jun 2007 15:19:27 +0000

Nice article.

But I don’t understand your example wit httpd and mysqld.
Normally, the web server works with databases and this case the httpd has to communicate with mysqld/postgresd. If once the attacker gains access through the web server, then your database will be compromise too, because your httpd has access to mysqld. Is it true?

Regards,
Bibo