Re: RPM security (a newbie question)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2009-04-02 at 15:22 +0200, "Stanisław T. Findeisen" wrote:
> Todd Zullinger wrote:
> > And, of course, on top of compiler options and firewalls, SELinux is
> > one more layer that is added to protect against problems in upstream
> > code.  If upstream code has some hole that tries to mail off
> > /etc/passwd somewhere, this is very likely to be denied by SELinux.
> > And when someone reports the denial, Dan, Miroslav, and the other
> > SELinux maintainers aren't too likely to allow it without asking what
> > good reason the upstream code would have to take such an action.
> 
> SELinux will not help you more if it gets overwritten/rootkited by 
> malicious RPM package (for instance during the install process).
> 
> You execute rpm install as root, don't you.

Actually depending on the policy that is configured SELinux could help
here. The root account is not "special" to SELinux and can be confined
just like any other user.

I am not aware of any specific work looking at preventing malicious
packages from harming the system (since most of the work here is aimed
at securing the package delivery and ensuring that packages from
untrusted sources are not installed inadvertently) but there are others
on this list who can probably provide more insight into how well this
could be made work.

Regards,
Bryn.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux