[sllug-members]: SELinux

[Knight Walker]

On Tue, 2006-05-23 at 12:59 -0700, Robert Lewis wrote:
> I was wondering if any of you had any experience/opinions on SELinux.
> I know it’s definitely more secure but in the past one person I know ran
> into a few issues with using it (much more complex and error prone 
> permission system).
> Any advice especially from those using it in a commercial setting would 
> be helpful?

I have used SELinux, and in fact I am doing everything I can to keep
running all of my production and test machines under it (Desktops and
servers).  I have reported several issues with it to RedHat's Bugzilla
and even gotten a couple of them fixed.  Yes it is more complex than the
normal permission system and until one reaches a certain level of
proficiency with it, it can also be more error prone, but it is much
more granular and detailed a security model than I've seen on most UNIX
OSes.

If you're looking for advice, I recommend you read *1 and *2.  They give
a lot of information about how SELinux works and how to write your own
policy (They really helped de-mystify it for me).  They're written for
Debian though, so be aware that there are some differences if you're
using Fedora (Mostly just file locations, IIRC).

Note: I'm not sure how this applies to FC5's new modular policy
frameworks, as I have not yet installed FC5 to do any digging.

*1) http://www.lurking-grue.org/gettingstarted_newselinuxHOWTO.html
*2) http://www.lurking-grue.org/writingselinuxpolicyHOWTO.html

-KW