[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Selinux on a Squeeze Desktop

On Sun, Mar 13, 2011 at 12:00 PM, Josep M. Gasso <websurfer@navegants.com> wrote:

I would like ask if someone have in his home a Desktop/Server machine
what runs selinux, my Debian Squeeze machine is always on and is a
mailserver too.

So, I would like if there is any desktop problems with selinux, and if
speed is also affected.

Any advice will be appreciated, I plan install selinux in a few days.

i think that what patrick said is what most people think when they first look at configuring selinux. however, those who maintain selinux are nice enough to compile a configuration that is not very restrictive and has enough for you to work off of as example if you want to make your system harder. like some other things - vim comes to mind - i wouldn't start with selinux by jumping in with both feet. nor would i even expect to scratch the surface of it in a year of maintaining a system with selinux configured.

selinux runs at kernel level. so, if you want to disable it, you need to do it at boot time (or edit your boot loader's config). which means, if you go and recompile the selinux config and mess something up, you'll probably be disabling it as a boot option at your grub shell. as a kernel level thing, i don't think selinux has any impact to speed (someone might correct me but i'll wager that it's not much if there is a performance impact).

now, i'm a big advocate of virtual machines. they're just as good for people trying to learn new things as they are to data centers. i would suggest installing debian with selinux and leaving it is. then install another debian on a virtual (i like virtualbox for my prototyping / learning) and immediately taking a snapshot of that install. then, go hack away at selinux. copy your config to another box before you reboot. that way, when you mess something up, instead of going through, disabling selinux and figuring out what you did wrong, you can just revert back to your snapshot, and compare the before and after configs and see what you might try different. the other good thing about that is that when you have something working on your virtual, you should be able to pretty easily apply it to your server.

lastly, there are three mandatory access control systems like this. the most popular two are selinux and apparmor.(don't know who uses grsecurity - just read about it). at any rate, novell and ubuntu use apparmor (novell still puts money into it i think). everyone else uses selinux. i've heard that apparmor is easier *shrug* - it might be, it also looks like it doesn't have the features of selinux so i never bothered with it.

lastly, i think selinux's history is pretty cool. i think in another ten years or so, someone should consider writing a non technical book about the history of it. lastly, i was surprised to see that the nsa has a web page for it (selinuxproject.org being the main project web site): http://www.nsa.gov/research/selinux/
also, floss had an interesting interview with the guy who maintains it now.

Reply to: