Re: making the smartest use of SE Linux

To: debian-user@lists.debian.org
Subject: Re: making the smartest use of SE Linux
From: andy <geek_show@dsl.pipex.com>
Date: Thu, 01 Mar 2007 17:50:49 +0000
Message-id: <[🔎] 45E71279.50203@dsl.pipex.com>
In-reply-to: <[🔎] 20070301161638.GG5142@localhost>
References: <45E5EBAE.8000706@dsl.pipex.com> <[🔎] 20070301161638.GG5142@localhost>

Kevin Mark wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Feb 28, 2007 at 08:53:02PM +0000, andy wrote:

Dear all

I noted with interest that Etch seems to automatically include SE Linux 
as part of the packages, and I was wanting a bit of a steer about how I, 
as a user on a small home LAN, can exploit the strength of SE Linux. 
There isn't anything for selinux in man or info, and this is how it is 
currently set up according to /etc/selinux/config:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# refpolicy-targeted - Only targeted network daemons are protected.
# refpolicy-strict   - Full SELinux protection.
# refpolicy-src      - Custom policy built from source
SELINUXTYPE=refpolicy-targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

Thanks for any ideas and opinions.

Permissive mode means that it logs any action that would not be
permitted under enforcing mode whereas in enforcing mode it would stop
the action. Also, SELinux permissions are secondary to unix permissions.
This means that if an action is not permitted by unix permissions, that
will stop the action and SELinux will never note this. Targeted policy
is the one choosen by Redhat and Debian. It deals with protecting web
interaction with the machine unlike strict mode that protects all
actions. This means that it will monitor apache and network permission.
Did you add an entry in /etc/fstab for the /selinux virtual filesystem?

- -- 
|  .''`.  == Debian GNU/Linux == |       my web site:           |
| : :' :      The  Universal     |mysite.verizon.net/kevin.mark/|
| `. `'      Operating System    | go to counter.li.org and     |
|   `-    http://www.debian.org/ |    be counted! #238656       |
|  my keyserver: subkeys.pgp.net |     my NPO: cfsg.org         |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF5vxmv8UcC1qRZVMRAjkoAJ0b4C+cEgfXML95bnlmPp1XaG/+ngCfTHtP
zJxmLsAtxqZVKTwEwxlkuc4=
=p+mZ
-----END PGP SIGNATURE-----

Thanks for the info, Kevin.

No I haven't put anything in my fstab because I am not running samba or apache. Is it still worth doing even if I don't have those installed?

Cheers

A

Reply to:

Follow-Ups:
- Re: making the smartest use of SE Linux
  - From: Kevin Mark <kevin.mark@verizon.net>

References:
- Re: making the smartest use of SE Linux
  - From: Kevin Mark <kevin.mark@verizon.net>

Prev by Date: Re: ssh
Next by Date: Re: Firestarter VS Shorewall
Previous by thread: Re: making the smartest use of SE Linux
Next by thread: Re: making the smartest use of SE Linux
Index(es):
- Date
- Thread