Re: SELinux last straw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Somebody in the thread at some point said:
> Arthur Pemberton wrote:
>>>>
>>> The shortcut test is to su to the user in question and try to access the
>>> file/device.  The only slightly more complicated way is to walk down the
>>> path looking at the permissions for user/group/other on the file and the
>>> directories above.
>>
>> Well, these "traditional" methods didn't work for your friend Karl,
>> since he was hacked with them.
> 
> Perhaps he had a false sense of security from the supposed other layers
> claimed to be present, when paying attention to the obvious would have
> been more beneficial.  That's the main reason I question the value of
> SELinux in the first place.  It doesn't come into play unless you have
> already made a mistake with the simple things and it diverts attention
> and makes it appear to be unimportant to get those things right.

It's generally accepted that layers of security are a good thing.
Turning what you say around, relying on getting one brittle layer
completely right and having nothing behind it doesn't sound like a
better system.

Considering where the real hacks actually come from, you might get PHP
"safe mode" completely "right" but somebody knows a sneaky way out
anyway.  If selinux is there to spew a log alert when he tries to spawn
a shell that is very valuable indeed.

-Andy


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux