[Info-vax] Desirable features for VMS
Arne Vajhøj
arne at vajhoej.dk
Fri Jan 26 09:42:13 EST 2024
On 1/26/2024 8:16 AM, Simon Clubley wrote:
> On 2024-01-25, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 1/25/2024 6:59 PM, Stephen Hoffman wrote:
>>> Jails / sandboxes can be built upon some of the parts of mandatory
>>> access controls, but I ~never want to have to use a system configured
>>> for SEVMS-style MAC. Jails, sure. SEVMS-style MAC, not so much.
>>
>> SEVMS-style MAC was targeting the 1980's requirements.
>
> When I talk about MAC, I am talking about SELinux style MAC, not SEVMS.
>
> I've read the public SEVMS documentation and it is way too limiting for
> today's world. SELinux fits right in however. One of the things I like
> about SELinux is just how fine-grained and how wide-ranging the control
> is. For example, you can allow a service to make outgoing TCP connections
> on some ports and deny it access to everything other TCP port.
>
> That way, even if the service gets compromised, the shellcode _still_
> can't make an outgoing connection on any TCP port the service has been
> denied access to.
Is that even MAC? Elsewhere it is called a software firewall.
It is certainly a well known feature. Windows also got it.
In theory it does enhance security. With no other mitigations
in place it can prevent some problems. Like Log4Shell.
But I don't know about how much impact it has in real life.
Secure servers are already behind a firewall that by default
blocks, so outgoing traffic is blocked. And users of
not-so-secure PC's tend to open ports when asked without
thinking.
Arne
More information about the Info-vax
mailing list