Stanisław T. Findeisen wrote:
Todd Zullinger wrote:
And, of course, on top of compiler options and firewalls, SELinux is
one more layer that is added to protect against problems in upstream
code. If upstream code has some hole that tries to mail off
/etc/passwd somewhere, this is very likely to be denied by SELinux.
And when someone reports the denial, Dan, Miroslav, and the other
SELinux maintainers aren't too likely to allow it without asking what
good reason the upstream code would have to take such an action.
SELinux will not help you more if it gets overwritten/rootkited by
malicious RPM package (for instance during the install process).
You execute rpm install as root, don't you.
Selinux might help you there but it depends entirely on the policy in
use. SELinux has no concept of "root" as you understand it. In SELinux
root is just another user that can be confined like everyone else, the
current policy maintains the traditional "root is god" sort of thing but
this is not a requirement of SELinux but a requirement of its user base.
As to what protection the current policy in use provides against that
sort of thing, others more qualified may answer in more detail. If
SELinux interests you then read this :
http://docs.fedoraproject.org/selinux-user-guide/
--
"Any fool can know. The point is to understand" --Albert Einstein
Bored??
http://fiction.wikia.com/wiki/Fuqwit1.0
http://fiction.wikia.com/wiki/Coding_the_Magic_into_the_Eight_Ball
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
