Re: [RFC] Checking the loaded policy against a policy on disk

[James Morris <jmorris@xxxxxxxxx>]

On Fri, 19 Aug 2005, Stephen Smalley wrote:

> Any comments on this request?

Can you point me to the LSPP requirement which states that we need to do 
this?

> Any particular preference as to the particular checksum algorithm?  

It's difficult to say, given ongoing research in the area, and not really 
knowing what the threat model is.

Given that the OS binaries are checksummed with SHA-1, it may not make any 
sense to try for anything stronger.

> Does the algorithm need to be configurable?

Well, you could just make it dynamic, write the name of the algorithm into 
the node and read back the checksum generated by that algorithm.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.