[Cryptography] Do capabilities work? Do ACLs work?

Tom Mitchell mitch at niftyegg.com
Tue Feb 10 22:15:46 EST 2015


On Tue, Feb 10, 2015 at 4:08 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> On 2/10/15 at 2:49 PM, leichter at lrw.com (Jerry Leichter) wrote:
>
>  There's a more fundamental issue here:  As engineers, we try to formalize
>> everything.
>
>
I scanned for and did not see a mention of targeted policy on SELinux.

Attempting to establish a policy for _everything_ is hard if not impossible.
However some activities like an apache web server do have well bounded
activities and lend themselves to many types of containerization.

Some policy systems make objects outside of your label set invisible.
Some let you see what there is e.g. what keeps you out.   One is difficult
to debug and the other harder to attack unless it is in a package that
the entire community (good+bad guys) has access to.

Other policy systems are excellent at audit and make a valuable tool
for the construction of an intrusion detection system.   Any policy tool
without
audit is lacking.  To this end I tend to install SELinux and use it as
an audit tool on friendly systems and as an enforcing tool on boxes
exposed to the wild.




-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150210/d63205bf/attachment.html>


More information about the cryptography mailing list