Re: making the smartest use of SE Linux

To: debian-user@lists.debian.org
Subject: Re: making the smartest use of SE Linux
From: Kevin Mark <kevin.mark@verizon.net>
Date: Thu, 1 Mar 2007 20:21:42 -0500
Message-id: <[🔎] 20070302012142.GI5142@localhost>
Mail-followup-to: Kevin Mark <kevin.mark@verizon.net>, debian-user@lists.debian.org
In-reply-to: <[🔎] 45E71279.50203@dsl.pipex.com>
References: <45E5EBAE.8000706@dsl.pipex.com> <[🔎] 20070301161638.GG5142@localhost> <[🔎] 45E71279.50203@dsl.pipex.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 01, 2007 at 05:50:49PM +0000, andy wrote:
<snip>
> 
>     Permissive mode means that it logs any action that would not be
>     permitted under enforcing mode whereas in enforcing mode it would stop
>     the action. Also, SELinux permissions are secondary to unix permissions.
>     This means that if an action is not permitted by unix permissions, that
>     will stop the action and SELinux will never note this. Targeted policy
>     is the one choosen by Redhat and Debian. It deals with protecting web
>     interaction with the machine unlike strict mode that protects all
>     actions. This means that it will monitor apache and network permission.
>     Did you add an entry in /etc/fstab for the /selinux virtual filesystem?
> 
<snip>
> Thanks for the info, Kevin.
> 
> No I haven't put anything in my fstab because I am not running samba or apache.
> Is it still worth doing even if I don't have those installed?
> 
If you want to be able to experiment with you system and see what is
happening, you need a few thing:
http://wiki.debian.org/SELinux/Setup?highlight=%28selinux%29
look at #2 to see more info.
here is a bit from http://fedoraproject.org/wiki/SELinux/Policies
...
After our experiences with the strict policy, we went back and reflected
on what our goals were. We wanted a system where the user was protected
from System applications that were listening on the network.

These applications were the doors and windows where the hackers would
enter the system. So we decided to target certain domains and lock them
down, while continuing to leave userspace to run in an unconfined
nature. Targeted policy was born. In Fedora Core 3 we targeted about 10
domains for lock down and came up with a new domain called unconfined_t.

Processes within the domain of unconfined_t would have the same access
to the system as if SELinux was not enabled. We shipped this policy and
this was the basis for Red Hat Enterprise Linux 4. In Fedora Core 4 and
beyond we have continued to add new targets to the point where most of
system space has been locked down, but userspace is still running in the
unconfined_t domain.
...

- -- 
|  .''`.  == Debian GNU/Linux == |       my web site:           |
| : :' :      The  Universal     |mysite.verizon.net/kevin.mark/|
| `. `'      Operating System    | go to counter.li.org and     |
|   `-    http://www.debian.org/ |    be counted! #238656       |
|  my keyserver: subkeys.pgp.net |     my NPO: cfsg.org         |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF53wmv8UcC1qRZVMRAl8KAJ9AJuAtcSGRAI7BN/u6JaffeSSQ+gCggtW6
a044vaQ6fUfg0eEm0ErvC8c=
=JBoK
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: making the smartest use of SE Linux
  - From: Kevin Mark <kevin.mark@verizon.net>
- Re: making the smartest use of SE Linux
  - From: andy <geek_show@dsl.pipex.com>

Prev by Date: Re: OT: Here we go again.
Next by Date: Re: Fonts from GDM?
Previous by thread: Re: making the smartest use of SE Linux
Next by thread: Firestarter VS Shorewall
Index(es):
- Date
- Thread