[CLUE-Tech] The NSA's version of Linux...
Matt Gushee
mgushee at havenrock.com
Thu Nov 4 09:20:16 MST 2004
On Thu, Nov 04, 2004 at 06:50:34AM -0600, Joseph A. Nagy, Jr. wrote:
> On Thu, Nov 04, 2004 at 12:48:41AM -0800, Tony M. wrote the following:
> > Damn, everyones got a distro now.
> >
> > http://www.nsa.gov/selinux/index.cfm
>
> Technically SELinux is just a kernel patch, you can apply it to any kernel.
> Gentoo has a USE flag that allows you to set up an SELinux enabled Gentoo
> box.
Kevin Fenzi discussed this in his security presentation last month
(unfortunately, nothing posted on the Web at this point). In response to
some people's natural concerns about using code from a spy agency, he
mentioned that a number of uber-kernel-hackers had reviewed the patch
very carefully and given it the thumbs-up.
Actually, I now have a kernel with SELinux enabled. One of the
interesting things about it is that it allows you to grant privileges in
a more selective way than you could before. I'm using it for to provide
low-latency performance for audio applications. The way it works is, you
have a kernel with SELinux enable + "security capabilities" built as a
module. Then you add the third-party realtime-lsm module; you can load
it with a user or group id as a parameter, e.g.:
modprobe realtime gid=29
Then any member of group #29 has access to the realtime clock. Thus, you
no longer have to have any programs setuid root for RTC access. Pretty
cool, huh?
--
Matt Gushee When a nation follows the Way,
Haven Rock Press Horses bear manure through
Englewood, Colorado, USA its fields;
books at havenrock.com When a nation ignores the Way,
Horses bear soldiers through
its streets.
--Lao Tzu (Peter Merel, trans.)
More information about the clue-tech
mailing list