[Info-vax] Desirable features for VMS
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Jan 26 08:16:06 EST 2024
On 2024-01-25, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 1/25/2024 6:59 PM, Stephen Hoffman wrote:
>> Jails / sandboxes can be built upon some of the parts of mandatory
>> access controls, but I ~never want to have to use a system configured
>> for SEVMS-style MAC. Jails, sure. SEVMS-style MAC, not so much.
>
> SEVMS-style MAC was targeting the 1980's requirements.
>
When I talk about MAC, I am talking about SELinux style MAC, not SEVMS.
I've read the public SEVMS documentation and it is way too limiting for
today's world. SELinux fits right in however. One of the things I like
about SELinux is just how fine-grained and how wide-ranging the control
is. For example, you can allow a service to make outgoing TCP connections
on some ports and deny it access to everything other TCP port.
That way, even if the service gets compromised, the shellcode _still_
can't make an outgoing connection on any TCP port the service has been
denied access to.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list