Re: selinux - howto

To: debian-user@lists.debian.org
Subject: Re: selinux - howto
From: Kevin Mark <kevin.mark@verizon.net>
Date: Sat, 14 Apr 2007 08:50:33 -0400
Message-id: <[🔎] 20070414125033.GA7403@localhost>
Mail-followup-to: Kevin Mark <kevin.mark@verizon.net>, debian-user@lists.debian.org
In-reply-to: <[🔎] 1176486632.4950.39.camel@zoe>
References: <[🔎] 20070413173837.GA25640@neptun> <[🔎] 1176486632.4950.39.camel@zoe>

On Fri, Apr 13, 2007 at 07:50:32PM +0200, Sven Arvidsson wrote:
> On Fri, 2007-04-13 at 19:38 +0200, Raphael wrote:
> > I want to learn the selinux in debian etch, but, it is very hard to find
> > the right doku about it. I want to learn how is the default state in
> > etch now and how to change this. Is there a good start-howto?
> > 
> > Google don't show me a good doku... :(
> > 
> > selinux isn't anymore new???
> 
> I haven't played with it myself, but here are some links, suggesting
> starting points.
> 
> http://wiki.debian.org/SELinux
> - Seems to have good instructions for setup and common issues.
> 
> http://etbe.blogspot.com/2006/12/se-linux-on-debian-in-5-minutes.html
> - SE Linux on Debian in 5 minutes
> 
> And last, Erich Schubert have been working on SELinux for Debian for a
> long time, and blogging quite a lot about it.
> http://blog.drinsama.de/erich/en/linux/selinux/
> 
This[0] looks interesting. And there is a list[1] but its not very
active although I'd expect someone to answer.

As for the 'default' state of SELinux, I'd make a few comments. Etch
(and beyond) has SELinux support. This means that when you install Etch,
it can be used, but its not active by default. You can add a boot parameter
'selinux=1' iirc to make it active. And then you need a /selinux
directory to be created.  Then you can start with using 'enforcing=0'
boot parameter to allow SELinux to just create AVC message as a way to
test your system. And after you fix any SELinux issues, then you can use
'enforcing=1'. At this moment iirc there is good support for targeted
mode while strict mode is still being worked on. targeted mode is less
secure and only targets 'network facing interfaces and programs' which
is the more common need. Stict mode tried to make all processes secure
and required much more work and may required further tweaking to your
system. But read etbe's blog entry for what is needed.
-Kev
[0] http://sourceforge.net/docman/display_doc.php?docid=14882&group_id=21266
[1] http://lists.alioth.debian.org/mailman/listinfo/selinux-user
-k
-- 
|  .''`.  == Debian GNU/Linux == |       my web site:           |
| : :' :      The  Universal     |mysite.verizon.net/kevin.mark/|
| `. `'      Operating System    | go to counter.li.org and     |
|   `-    http://www.debian.org/ |    be counted! #238656       |
|  my keyserver: subkeys.pgp.net |     my NPO: cfsg.org         |
|join the new debian-community.org to help Debian!              |
|_______  Unless I ask to be CCd, assume I am subscribed _______|

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- selinux - howto
  - From: Raphael <lilo-@gmx.ch>
- Re: selinux - howto
  - From: Sven Arvidsson <sa@whiz.se>

Prev by Date: Re: Really annoying! Volume % window that won't go away. After etch upgrade.
Next by Date: Re: Help! Strange FF/Iceweasel problem
Previous by thread: Re: selinux - howto
Next by thread: question about cron and anacron
Index(es):
- Date
- Thread