Linked by Thom Holwerda on Fri 4th May 2007 22:27 UTC, submitted by diegocg
"In Red Hat Enterprise Linux 4, 15 services in system space had confined SELinux domains defined. In Red Hat Enterprise Linux 5, over 200 processes are confined by SELinux. The improved SELinux policy is much more precise in how it governs the operation of these services. It's far less likely that a Red Hat Enterprise Linux 5 system space process will be compromised or encounter an error caused by an SELinux policy not handling the specific requirements (e.g., file or directory access) of a service."
Thread beginning with comment 237587
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Not safe against kernel exploits
by CrazyDude0 on Sat 5th May 2007 21:55
in reply to "RE[3]: Not safe against kernel exploits"
Member since:2005-07-10
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-08-18
http://fedoraproject.org/wiki/Security/Features
http://www.awe.com/mark/blog/200701041544.html
As for SELinux kernel and memory security; these are the main settings I use with the targeted or strict policies under enforcing mode:
Do not allow any processes to load kernel modules (may need to be enabled depending on your needs)
Do not allow any processes to modify kernel SELinux policy (good idea to disable this when doing SELinux policy updates then re-enable after)
Do not allow unconfined executable to make their heap memory executable
Do not allow unconfined executable to make their stack executable
Do not allow unconfined executables to map a memory as both executable and writable.
Do not allow unconfined to dyntrans (change) to unconfined_execmem
With this you end up with badly or evil written software not working, so you manually decide which ones you trust and override their file security context with chcon.
Edited 2007-05-05 20:59