-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-07-09 at 21:36 -0000, Jim Henderson wrote:
On Wed, 09 Jul 2008 22:02:31 +0200, Carlos E. R. wrote:
No, it prevents a program initiated by the system, a program serving some service, from accessing things it was not designed to access. And it doesn't mean the user did something wrong: it may be that a cracker found a hole and violated apache.
I see. So the system initiates programs - sometimes programs that are untrusted? Perhaps sometimes programs that are *infected* with something?
No, trusted programs, but being daemons that serve services from the outside, they are at risk.
Even if an on-access-scanner scanned the apache binary chances are it wouldn't find anything wrong... because linux binaries are very diverse.
Sure, but it wouldn't be the apache binaries that were at issue. It'd be whatever it was that apache *called* that behaved badly.
No, you need to know in advance what will apache call (everything!). If apache is protected by an AA profile it can not start anything not in the profile, and the childs itself have to be profiled beforehand. So yes, it is the apache binaries what is at issue here (for AA). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIdUSxtTMYHG2NR9URAikFAKCZCvNIqSCKVf46sCW7/lujBscBjACfbANl aX6DmlwJ6BpZjlR59hDAFF4= =lSnE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org