On 11/29/21 17:19, Nicholas Geovanis wrote:
> On Mon, Nov 29, 2021, 5:14 PM James H. H. Lampert <jamesl@touchtonecorp.com <mailto:jamesl@touchtonecorp.com>> wrote:
>
> .... And the only
> reason ROOT access is more dangerous than, say, QSECOFR access on OS/400
> (or whatever IBM is calling it this week) is because there's nothing
> stopping a Linux ROOT from doing things *nobody* should be allowed to do
> without putting the system into some kind of maintenance mode.
>
>
> Well selinux stops root from doing those things. But im the only known human who doesn't dislike selinux. And other problems I have....
> :-D
You are not the only one who doesn't dislike or maybe even likes selinux. I consider it technically superior to apparmor as a mandatory access control system, and maybe both more flexible and user-friendlier as well. I found it generally fairly easy to find good documentation (e. g., Red Hat).
Redhat's doc is probably the best. But they ship it in several pre-configured but non-complete base configurations. Like their "targeted mode".
And I expect those who originated it, some still employed at USNSA, also think well of it, along with the current maintainers and likely enough quite a few other users.
The "rainbow books" are freely available on Google books nowadays. They were NCSC (NSA) guidelines for highly secure govt systems. I implemented B1 level security (Orange book, Green book) (MAC like selinux) in 1990 in Unix OS's. Went thru the evaluation process with them.
Regards,
Tom Dial
>
>
> .......
> --
> JHHL
>