“We all appreciate that when we turn on our Linux systems they’re pretty secure. Thanks to continuing improvements to SELinux, it is increasingly easy for users to take advantage of this powerful security tool. Read on to find an interview with Daniel Walsh, the principal developer of SELinux in Fedora from Red Hat, where he tells us more about what SELinux does and how it’s improved in Fedora 8. At the end of the article are some screenshots which show-off the new policy creation GUI.”
Convenient to have the restricted guest and xguest accounts. You can’t deny they have a good sence of pragmatism, it’s easier and saver to run confined kiosk setups. The policy creation tool is a good step in the right direction. You can easily specify the additional domains the user role will transition to, additional roles as mentioned in the article such as guest, xguest,alowed tcp/udp ports locally (specified or unreserved ones) and tcp/udp end-point ports.
Nice one:-)
Edited 2007-11-21 16:35
If we compare the security features of the 20 major Linux distributions, Fedora (& Red Hat) seems like a clear leader. Not only because of SELinux but also because of many other security features and because of their clear security emphasis:
http://fedoraproject.org/wiki/Security/Features
I hope that other distros would learn from Fedora in this respect. After all, security is one of the main points of choosing Linux (or Unix or BSD) anyway. So, when customers (like companies) try to choose the best distribution for them, it may matter quite much how good security features each distribution has.
There are some smaller security-focused distributions like Owl (Openwall) and EnGarde that could perhaps compete with Fedora in security features, but those are usually meant for certain kind of servers and small niche markets only, and lack the many other nice features, software and support that Fedora has.
Security is main reason I choose Fedora over other distributions. I like letting some of my security friends login as root and can’t even list processes from guest accounts. They all think its a vm machine and im not really giving them root.
With all of Fedoras security features like exec-shield, compiletime protection and selinux on by default id be interested in seeing some data on how many of the past vulnerabilities are actually vulnerable by default. For instance say apache had a critical bug yesterday but under a fedora machine would you even be able to exploit it?I thought Walsh (or someone at RH) was going to collect data on this and post it.
wanted to edit the post but time expired
I might have found an answer to my own question on his blog site. http://danwalsh.livejournal.com/10131.html. In short he’s saying Samba had a few vulnerabilities this week and because of selinux the exploit likely wouldn’t execute. A collection of such cases would be interesting. Not saying it would be fullproof but when you find out how an exploit works it usually requires writing to some process and if those processes are protected by selinux in the kernel than certainly thats a substantial problem for the attacker to overcome.
Fun to go to red alert mode. Just set the default to xguest_t in usermapping
The whole key behind SELinux is it is based on the booleans and puts a stop to rouge processes or brings it to your attention ‘yeah something is trying to write here’ and I am going to deny the access. In all honesty SELinux has a learning curve but it has proven a invaluable tool in locking down a server. At first everyone was saying just disable it and move on. Now people have figured out, leave it on just like it is by default.
The tools such as ‘system-config-selinux’ & selinux trouble shooter can make life a lot easier if you take the time to read what is actually going on. You can adjust the rules or modify the boolean values instead of just turning it off.
Plus all of these tasks can be accomplished by the command line such as ‘restorecon’ allowing you to restore the original file security context very helpful if you modify something or want to return it to normal. Red Hat has an excellent system in place and Fedora 8 is cutting edge I use both RHEL5.1 Server at work and Fedora 8 at home.
SELinux = Granular control over the system this is mandatory today with vital personal data and the fact identity theft is on the rise. Fedora 8 has multiple improvements I am still exploring some of the new features…
The easiest way to load is to copy the boot disk image to your drive then partition it out with /boot, /, swap, /home, /usr and /var you can make /home on a logical partition leaving space on the end of your drive by creating a logical volume.
LVM management allows you to resize your drive adding space, easily by the command line with (pvcreate, vgcreate, lvcreate and mkfs.ext3) then create a directory and place it in /etc/fstab. Not to mention ACL, usrquota, suid and numerous other options you can perform on your storage or maybe create a extra logical volume for stuff you want to keep.
It is always best when preforming installation to have separate partitions or volumes for different parts of the file system. This helps if you have a problem or you can boot to run level 1 or emergency being able to mount or umount partitions that may have trouble. Plus, this allows you to really lock your system down further with SELinux, with setfacl’s….
Also, they have iced_tea java included now so downloading Sun’s Java is now optional. The options in any Linux distro are just about limitless for any customization you want to do. I have found many excellent books that proved to be quite helpful from Barnes & Noble, Books a Million, and several online ones. It is more convenient for me to drive to a city to purchase the books then to order from the internet if they got it in stock.
I am going to purchase a book on SELinux because I will have to become very inept inside and out since I will be deploying several new Red Hat 5.1 Server installs in the new IBM Blade Centers. I will leave the firewall enabled along with SELinux however I will have to do quite a bit of research on what booleans and context I need to leave defined to not break applications for the end users.
SELinux has notably matured with FC8.
I installed FC8 on my mothers PC. She only needs to browse the web.
I changed her user role to xguest_u in the SELinux manager and checked relabel on next boot. Thus every network connection is not allowed except browsing the web, which is the usage scenario.
Very save.
Oh and adding for example ssh capability to the xguest user account is as simple as:
1)grep ssh /var/log/audit/audit.log | audit2allow -R -M myxguest
2)semodule -i myxguest.pp
3) check relabel on next boot and reboot
Oh and adding for example ssh capability to the xguest user account is as simple as:
1)grep ssh /var/log/audit/audit.log | audit2allow -R -M myxguest
2)semodule -i myxguest.pp
3) check relabel on next boot and reboot
More here:
Monday, November 26th, 2007
http://danwalsh.livejournal.com/