“In this paper I will try to explain the philosophy behind the Security Enhanced Linux (SE Linux). I will however try to explain the concept with an example but to keep the length readable I will restrain myself to go into much of implementation details for e.g. commands and similar stuff.”
http://fedoraproject.org/wiki/FAQ#head-3af8a2dc6f7d24047528556f15fa…
I am mystified as to why SELinux doesn’t work on Fedora Core. Everytime I turn on “targeted” security a bunch of common daemons can not permitted to do there regular work. Its like the targeted scheme (or whatever the term is) was never tested.
It works by default for millions of people. If it doesnt work for you you might want to post to the fedora-selinux list about it from the AVC denied messages in /var/log/messages or in the audit log in /var/log/audit/audit.log
# man booleans and system-config-securitylevel GUI tool is pretty helpful
I’m mystified as to how you can say that with a straight face. Or perhaps you’re just doing foolish things like pointing httpd to somewhere other than /var/www? In that case, what do you expect?
My guess is that you have managed to mess up the labeling somehow.
Try the following:
Make sure the package selinux-policy-targeted-sources is installed, then cd to /etc/selinux/targeted/src/policy/
and do “make relabel” to restore it.
There are also settings in system-config-securitylevel
that allows you configure what various daemons are allowed to do.
and I am mystified as to what organisation would actually deploy this as a secure os. Its primarily developed by the NSA (who I obviously trust) and Redhat (ditto) with of course a bit of help from those friends of democracy ibm ( http://news.com.com/Probing+IBMs+Nazi+connection/2009-1082_3-269157… )
The only commerical distro worth mentioning being Red hat is only going for CC4 with RHEL 5 ( http://lwn.net/Articles/153287/ ). Businesses are only on RHEL 3. Give me a break SELinux is a joke outside the NSA.
Too much SUN damages the brain… Didn’t they warn you?
Its primarily developed by the NSA (who I obviously trust) and Redhat (ditto) with of course a bit of help from those friends of democracy ibm
Yes it was rumored the NSA and RedHat put backdoors in SElinux. Then some idiot ruined all the fun and posted the source code.. damn kill-joy he was.
Why would you insinuate RedHat can’t be trusted? Cause they dropped mp3 support? Cause GCC had a funny point release? Some people are so far gone i swear.
Edited 2005-12-24 03:03
FUD about Linux/Red Hat/IBM from a Sun employee? No way, really? I’m shocked. Shocked, I tell ya!
My expieriences with targeted SELinux under FC4 are not bad. At first I had some problems with dovecot and apache but I filed bug reports and all were quickly fixed (one took a little bit longer but was caused by my strange dovecot config and didn’t affect much people or so I think).
Writing good policies is not easy and it’s hard to cover all cases, thus good testing is needed. If you find bugs, file them to bugzilla.
I think SELinux is great because it adds security. And I am sure that in 2 years SELinux is standard in most Linux distributions.
better to have open souce code like Linux that you can check for back doors and build trust on, than to have closed proprietary binaries like MS Windows from a company who has been found guilty of illegal practices and continue to be investigated.
Some of that guys scentances are paragraphs in length. The modern word processor would correct at least half of those grammer errors. Was this written in notepad?
They also correct misspelled words… like “scentances” and “grammer”.
I was not aware.
They need a bit of help over there.
Congratulations Thom. I think you’ve taken OSNews to a new low. Publishing a badly composed undergraduate paper published on a barely reputable site (just look at the “PHP Security” article they promoted and the comments it attracted) IS NOT NEWS
The paper could do with more work, it’s a pity that the author didn’t contact me or some of the other SE Linux developers for some suggestions when it was at the draft stage. Unfortunately there was no method of contacting the author so this forum seems the only way I can provide feedback:
Page 3 is unclear about the difference between MAC and DAC. The most critical feature of DAC is that a program can’t compromise the security of it’s own data (through error or design) by granting wide access. In a MAC system the administrator controls the access that is granted. In the case of SE Linux it’s a second lager of security, so a program can create a mode 777 file in /tmp but SE Linux will prevent many (or most – depending on who creates the file) programs from accessing it.
Page 6 will lead the reader to believe that every user identity must end in “_u”, this is incorrect. The only users ending in “_u” are “user_u” and “system_u”, generally users have a SE Linux identity that exactly maches their Unix account name. But there will be some minor changes in this regard in Fedora Core 5 (already in FC5test1).
The section on page 6 regarding roles is wrong. Roles do not directly determine access (*), they determine which domains may be entered, and the domain directly determines the access.
(*) There is a SE Linux policy feature called “constraints” by which the role may directly control access. It is a feature that is not used much and should be considered an advanced feature that most users will not encounter.
Page 7 has a syntax error, it should be “role sysadm_r types ftpd_t;”, note that it’s “types” not “type” and that each line ends with a semi-colon.
Page 17 uses foo_t as the domain for a process and the type for a file, this is something you will never do in practice and makes for a bad example. foo_exec_t and foo_t would make a better example (the convention is that all types for executable files end in “_exec_t”).
I wonder what will a normal user do if she finds this SELinux thing gets in her way while using the computer.
Can she (easily) use a less intrusive policy? Can she (easily) disable the whole thing?
Of course she won’t do any of this with such a lovely thing, but… what if she dislikes it? (My teeth grinds with this mere thought, ugh!)
She’d run system-config-security-level, the gui tool for configuring the selinux setup.