[Wolves] Opinions wanted on a specific SElinux bool
Adam Sweet
adamsweet at gmail.com
Wed Feb 15 11:13:18 UTC 2023
You probably gathered, but this is beyond my SELinux understanding...
Hope you figured it out.
Ad
On 10/02/2023 13:51, Simon Burke via Wolves wrote:
> Hi,
>
> So this is work related. Today, I'm slowly getting myself into a form of
> hell with SELinux.policies and semi-complex ksh scripts.
>
> The bool 'domain_can_mmap_files' currently defaults to off.
>
> It is my understanding that the intention of this bool is to force
> validation every time a process accesses a particular file. Which is
> only useful if we expect context changes.
>
> Would that mean if we did not expect context changes, then it would be
> relatively safe to enable this bool? Considering this server will be
> providing an internet facing service.
>
> I assume as the initial access of the file is still validated, then we
> don't have too much to worry about. Unless something malicious is
> somehow executed that changes the context of a file while it's mapped.
>
> Other mitigations are in-place like clamd (but that only scans input
> from end users), and rkhunter periodically runs. There is also
> inspection done to traffic inbound to the server via network based IDS/IPS.
>
> Thanks,
> Simon.
>
More information about the Wolves
mailing list