[Wolves] Opinions wanted on a specific SElinux bool

Simon Burke simon at samandsimon.co.uk
Fri Feb 10 13:51:49 UTC 2023


So this is work related. Today, I'm slowly getting myself into a form of
hell with SELinux.policies and semi-complex ksh scripts.

The bool 'domain_can_mmap_files' currently defaults to off.

It is my understanding that the intention of this bool is to force
validation every time a process accesses a particular file. Which is only
useful if we expect context changes.

Would that mean if we did not expect context changes, then it would be
relatively safe to enable this bool? Considering this server will be
providing an internet facing service.

I assume as the initial access of the file is still validated, then we
don't have too much to worry about. Unless something malicious is somehow
executed that changes the context of a file while it's mapped.

Other mitigations are in-place like clamd (but that only scans input from
end users), and rkhunter periodically runs. There is also inspection done
to traffic inbound to the server via network based IDS/IPS.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20230210/a3f85509/attachment.htm>

More information about the Wolves mailing list