Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Dealing with software with wide attack surface

On Sun, Aug 29, 2021 at 01:17:58PM +0900, Michael Paddon wrote:
> [..]
> This is good advice. More formally, you should try to implement a "reference
> monitor".
> Jaegar (2011) describes the concept as "a system component, called a
> reference validation mechanism, will be responsible for enforcing the
> system’s access control policy over user process operations. The reference
> monitor concept defines the requirements for implementing such a mechanism
> in a manner that ensures that malicious users cannot circumvent policy
> enforcement."
> There's a good discussion here on why this pattern is helpful.

That reminds me much of selinux.
While Debian services in general do not come with selinux policies,
the kernel is compiled for selinux.  Maybe I should try to run 
Lychee in a container, using the UBI image from Red Hat, which can
be freely distributed and should inside also nicely deal with


Home | Main Index | Thread Index