[Novalug] SELINUX question

Kevin Chin kevinchin5@gmail.com
Mon Nov 10 23:35:51 EST 2008


FWIW, SE Linux support is also coming for SUSE Linux Enterprise, and will be
appearing in openSUSE 11.1...  As was mentioned AppArmor is in SUSE Linux
Enterprise and openSUSE today.  AppArmor will continue to be available as
well, but now you'll have a choice.

http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/
and
http://itknowledgeexchange.techtarget.com/enterprise-linux/selinux-now-enabled-in-apparmor-territory-opensuse/

TTYL.
--Kc



On Mon, Nov 10, 2008 at 10:56 PM, David A. Cafaro <dac@cafaro.net> wrote:

> SELinux is what is called a MAC security system.  MAC = Mandatory
> Access Control.  The standard security on Linux (and most systems) is
> what is called DAC (Discretionary Access Control).  Simply put MAC is
> deny everything by default and only allow what you want to work, DAC
> is allow everything and only restrict what you don't want.  That is
> putting it pretty simply but covers the gist of it.
>
> SELinux is part of the mainstream kernel development.  Any
> distribution may include it if they wish.  RedHat, Fedora, and Gentoo
> are probably the biggest supporters of SELinux.  All of these offer it
> as part of there standard install (not positive on Gentoo).  There are
> even versions for *BSD and even Mac OS, though not as well supported.
>
> SELinux can be very hard to implement on a general purpose desktop or
> workstation.  RedHat as been making great strides in making it more
> user friendly, and I've actually had pretty good luck leaving it
> enforcing on my EeePC 1000 with Fedora 9 installed.  But I used to
> write SELinux policy so have a little (very little) idea on how to
> tweak the policy if need be.  SELinux can be very effective on a
> specifically tasked server if you are willing to take the time to
> configure it properly.
>
> SELinux can make it harder to hack your box, since you tell it EXACTLY
> what you are going to allow programs to do, a hacker who tries to make
> a program do something it normally doesn't (open a network port, write/
> read a particular file, even as fine grained as reading a file vs
> writing a file) will find they can't as SELinux won't allow it.
> SELinux has even stopped zero day exploits because it won't allow a
> program to do something it hasn't been given explicit permission to do.
>
> Of course this very fine grained control is the biggest problem with
> SELinux.  It takes a lot of work to get your system locked down tight
> yet allow your programs to function.  And to add to the fun, you often
> fined that programmers were taking the easy route and opening things
> read/write when they only needed read.  Again RedHat has done a lot of
> work to make this easier, and it's much better than say 2 years ago,
> but it still takes a little more work than standard Linux security
> permissions.
>
> I wouldn't say it's for the paranoid, but if you want to really lock
> down a webserver, SELinux can help a lot.
>
> Cheers,
> David
>
>
>
> David A. Cafaro <dac@cafaro.net>
> Cafaro's Ramblings:  www.cafaro.net
>
>
>
> On Nov 10, 2008, at 10:13 PM, Clif Flynt wrote:
>
> >
> > On Mon, Nov 10, 2008 at 09:56:41PM -0500, Charles M Howe wrote:
> >> Professor types and paranoids,
> >>
> >> Is SELINUX a distro, like SUSE, complete with GNOME and KDE, or is it
> >> applicable to all significant distros? Is it only for paranoids?
> >
> >  Others who know more than I, chime in.
> >
> >  SELinux is a set of kernel extensions that give you finer control
> > over access to your system.
> >
> >  It's more oriented towards multi user systems where some users are
> > allowed access to more tools than other, rather than for a single user
> > system where the only user has root when he/she needs it.
> >
> >  Using SELinux won't make it harder to hack your box, but you
> > can use it to restrict the ability of a cracker to do damage.
> >
> >  Unrelated, but also useful for security wizards is the Linux
> > Auditing System kernel hacks, developed by RedHat/Fedora.
> >
> >  This is a set of kernel level calls that let you log what files a
> > user touches and what activities a user attempts.  What gets logged is
> > controlled by a config file.
> >
> >  Again, this won't help you keep someone off your system, but it would
> > let you say definitively if a cracker grabbed the credit card
> > database,
> > only looked at the password file, or modified /usr/bin/ls.
> >
> >  The auditing system is necessary if you are getting a DoD
> > clearance for your computers.
> >
> > Clif
> > --
> > ... Clif Flynt ... http://www.cwflynt.com ... clif@cflynt.com ...
> > .. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
> > .... 16'th Annual Tcl/Tk Conference:  2009,  West Coast, USA ....
> > .............  http://www.tcl.tk/community/tcl2008/  ............
> >
> >
> >
> >
> >
> > _______________________________________________
> > Novalug mailing list
> > Novalug@calypso.tux.org
> > http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20081110/4a9c471c/attachment.htm>


More information about the Novalug mailing list