On 11/29/2010 4:09 PM, Christopher Chan wrote:
In reality, I am not at all sure that a quantum leap in complexity adds to security at all. Any proper use of old-school group permissions can give as finely-grained a security policy as you would like.
No, it won't.
Suppose I'm running CentOS on a workstation, and have a need to access a corporate webapp written in Flash, read corporate documents in PDF, and use other applications written in Java. So I'm going to be living in my browser for most things corporate.
How can I prevent a compromised PDF from gaining an attacker access to my entire home directory? More to the point, how to I prevent that PDF from gaining WRITE access to files in my home directory (say, .bashrc for instance)?
If you don't trust your software, run it under a uid that doesn't have write access to anything important - or in a VM or a different machine for that matter. X has no problem displaying programs running with different uids or locations.
Hurrah! That's it! Just move the problem elsewhere.
Yes, if you are concerned about security of certain files it is indeed a good idea to run software you don't trust elsewhere. And if the problem is not trusting software, why are you putting blind faith in the SELinux code?
Oh, you snipped out a bit too much. Write access is not just the problem. Being able to upload and execute is also a problem. Can you say 'bot'?
You don't need SELinux to mount the space writable by the uid in question with the noexec option.