[Fwd: Re: trusted vs untrusted packages]

[Fwd: Re: trusted vs untrusted packages]

[Chris PeBenito]

(resend)
-----Forwarded Message-----
> Subject: Re: trusted vs untrusted packages
> Date: Mon, 13 Oct 2003 21:36:13 -0500
> 
> On Mon, 2003-10-13 at 20:07, Russell Coker wrote:
> > One idea is to have signed packages be installed by rpm running as rpm_t and 
> > unsigned packages be installed by rpm running as rpm_unsigned_t [1].  So for 
> > example we could allow rpm_unsigned_t to install files in /sbin as 
> > sbin_unsigned_t and in /bin as bin_unsigned_t [2].  Then a program installed 
> 
> I would think that some sort of trusted-path execution setup would be
> better.  I don't know much about TPE, but this sounds like one situation
> that it would be good for.  Then you could set it to not do domain
> transitions on untrusted stuff, and also require that sysadm_t only
> execute trusted stuff.  The status as trusted or untrusted could be
> handled by another xattr.  Then it also would not get overridden by a
> relabel.  But I'm getting ahead of myself, since there is no TPE in
> SELinux. </brainstorm>
> 
> Might there one day be TPE in SELinux, or is that beyond its scope?
-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Fwd: Re: trusted vs untrusted packages]

[Stephen Smalley]

On Tue, 2003-10-14 at 16:07, Chris PeBenito wrote:
> > I would think that some sort of trusted-path execution setup would be
> > better.  I don't know much about TPE, but this sounds like one situation
> > that it would be good for.  Then you could set it to not do domain
> > transitions on untrusted stuff, and also require that sysadm_t only
> > execute trusted stuff.  The status as trusted or untrusted could be
> > handled by another xattr.  Then it also would not get overridden by a
> > relabel.  But I'm getting ahead of myself, since there is no TPE in
> > SELinux. </brainstorm>
> > 
> > Might there one day be TPE in SELinux, or is that beyond its scope?

Use type enforcement instead.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Trust Basics

[Robert Potter]

I suggest we also consider using the concept of time for upgrading our
"trust" of code. This is in addition to other methods of knowing the source.
It is another line of defense.

Not all code has to be trusted immediately, or applied. 

I think this is what all of us do anyway, as we have learned to wait and
listen for problem reports before applying patches.

It is what many of us do when we rescan our download subdirectories with the
latest anti-virus, worm and trojan sigs.

Rob




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.