Comments on: Preventing Disclosure http://www.usefulsecurity.com/2007/08/preventing-disclosure/ Solving real security problems that matter to real users Mon, 06 Sep 2010 23:27:42 +0000 http://wordpress.org/?v=2.6.1 By: c-had http://www.usefulsecurity.com/2007/08/preventing-disclosure/#comment-39 c-had Fri, 12 Sep 2008 03:18:25 +0000 http://www.usefulsecurity.com/?p=15#comment-39 Marcelo: The example above does not place any requirements on the end user. Authentication is performed by the web application itself, and that web application controls access to its data. The point of the above is that I used SELinux to prevent any other web app from accessing this web app's private data. Note that there are ways to utilize remote SELinux contexts between two cooperating SELinux systems, but they are not useful in your average web application due to that need to have cooperating systems. This is a much simpler example. If you're interested in using remote SELinux contexts between SELinux systems to enforce multi-system policies, I suggest you check out http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ Marcelo:
The example above does not place any requirements on the end user. Authentication is performed by the web application itself, and that web application controls access to its data. The point of the above is that I used SELinux to prevent any other web app from accessing this web app’s private data.

Note that there are ways to utilize remote SELinux contexts between two cooperating SELinux systems, but they are not useful in your average web application due to that need to have cooperating systems. This is a much simpler example. If you’re interested in using remote SELinux contexts between SELinux systems to enforce multi-system policies, I suggest you check out http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/

]]> By: Marcelo http://www.usefulsecurity.com/2007/08/preventing-disclosure/#comment-38 Marcelo Wed, 10 Sep 2008 13:22:26 +0000 http://www.usefulsecurity.com/?p=15#comment-38 I would like to know if, in order for this example to run properly, the web page user should also be running a system with SELinux, or it could be any client. How, is the authentication done if the user is not using SELinux? How do you know his SecurityContext? Or you solved the authentication in a DAC way? Thanks! I would like to know if, in order for this example to run properly, the web page user should also be running a system with SELinux, or it could be any client.
How, is the authentication done if the user is not using SELinux? How do you know his SecurityContext? Or you solved the authentication in a DAC way?
Thanks!

]]> By: c-had http://www.usefulsecurity.com/2007/08/preventing-disclosure/#comment-3 c-had Wed, 22 Aug 2007 14:29:51 +0000 http://www.usefulsecurity.com/?p=15#comment-3 I'm sorry you couldn't understand some of the parts. If you have any specific questions, please post them and I'll do my best to answer them. I’m sorry you couldn’t understand some of the parts. If you have any specific questions, please post them and I’ll do my best to answer them.

]]> By: Daniel http://www.usefulsecurity.com/2007/08/preventing-disclosure/#comment-2 Daniel Fri, 17 Aug 2007 16:08:58 +0000 http://www.usefulsecurity.com/?p=15#comment-2 I couldn't understand some parts of this article nting Disclosure at Useful Security, but I guess I just need to check some more resources regarding this, because it sounds interesting. I couldn’t understand some parts of this article nting Disclosure at Useful Security, but I guess I just need to check some more resources regarding this, because it sounds interesting.

]]>