Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Kernel module for file protection ideas
From: Aditya [ Aditya Lalit Deshmukh ] (adityaonline.gateway.technolabs.net)
Date: Sat Jan 10 2004 - 12:47:55 CST
dont get me wrong - i looked at the psedo code and started making some assumptions that you were reinventing the wheel. The selinux is a fine implementation of the flask arch!
that is just what i use on the firewall - it works and does what it is supposed to do nicely though i liked openbsd more but had to try out Selinux some time or the other
do keep me updated about the kernel module if you are going to make one - however if you have the necessary skills then help the SElinux itself
From: Valdis.Kletnieksvt.edu [mailto:Valdis.Kletnieksvt.edu]
Sent: Saturday, January 10, 2004 2:57 AM
Cc: Just1n T1mberlake; vuln-devsecurityfocus.com
Subject: Re: Kernel module for file protection ideas
On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <adityaonline.gateway.technolabs.net> said:
> this would be a very bad idea as any kernel level programmer will tell you
> that every 'if' takes time for comparison and you will be doing that every time
> for evry file access and parsing through a list of datastructs and other stuff
> that would possibally will make the system very slow for any "real world" use
Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable. On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).
The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to be able to look but you
don't want /bin/passwd to be looking.
The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And
that's the REAL issue - trying to describe the security policy for a production
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)