Blocking root from changing labels
Payment Online
snacktime2 at gmail.com
Sun Sep 19 00:04:36 GMT 2004
Are there practical methods of blocking root from changing biba/mls
lables on objects? Right now I'm thinking of disabling su and only
allowing root to login at the console.
Also, if anyone wants to comment on my first attempt at using MAC to
protect a database server. I loaded the partition and biba modules,
setting most of the system at biba/high, the network interface at
biba/equal(equal-equal), and /var and /tmp at biba/equal. I also set
some of the /dev entries at biba/equal. The database server user
label is biba/low, and all the database files are biba/low. Now this
seems to pretty much lock any other user from getting any access to
the database files directly, but what am I really gaining by using MAC
in this setup that I couldn't do with ordinary file permissions? I
guess one thing would be that if there was a bug or misuse of
postgresql that elevated it's permissions to root, the biba labels
would block that.
Chris
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list