Hello guys, I have been doing some reading about SELinux.

I am trying to compare normal Linux which are based on Discretionary access control (DAC) and SELinux Implemented Linux OS based on Mandatory Access Control (MAC).

I did some reading and have understood about it. The part where I am having difficult to understand is about
HOW do I TEST them to show that there is difference between MAC and DAC.

I know this might sound stupid but I have just began my SELinux therefore, suggestion would be helpful. I want to try myself and see the difference between normal and selinux implemented linux OS.

It is because I want to harden my Linux and increase security.

fedora and CentOS both use SELinux
Ubuntu and OpenSUSE ( like i am now using) use apt-guard

se is built into the core of the os
apt guard is a layer of the onion


as to testing ?

do you have ( or are working on ) a masters in CS and networking

but fedora with the default settings and SE set to enforcing is very secure

but nothing ( not even the NSA or CIA) can withstand a determined and experienced "system cracker"

you might want to do a bit of reading
http://www.darkreading.com/
http://www.ethicalhacker.net/

I thought OpenSuSE used AppArmor? Never heard of "apt-guard". Got an URI?


Sure one should have an understanding of what one runs but one doesn't need a Masters in CS to practically test a Mandatory Access Control implementation:


MAC runs on top of DAC and DAC only deals with "simple" access permissions. MAC tries to improve on that and include domains DAC can't handle. Some easy examples:
- Install Bitdefender for Linux. Running 'bdscan' on any target should fail because the application requires an executable heap (also see this).
- Install Firefox-3.x or Google Earth or Zend. Trying to run should fail because the one or more libraries needs to have the "textrel_shlib_t" type set first.
- Install Apache. Configure it to listen on an additional port with 'echo Listen 888' >> /etc/httpd/conf/httpd.conf. Start Apache. It should fail because there is no port assignment for port TCP/888 ('seinfo -p888').

1 members found this post helpful.

You may find this useful http://www.linuxtopia.org/online_boo...ion/index.html
Chap 43 goes into the theory, Chap 44 shows you how to set/test it

1 members found this post helpful.

Cheers Unspawn and Chrism01, this is what i really wanted, thanks to you guys,
lemme just do a quick review and i will mark this as a solved post.

Thanks a lot unSpawn and chrism01.

You saved my life.
Thanks..Now I'm really happy.

Well, AppArmor is certainly the correct name. Now according to the security guide (which is fairly recent, just about coincident with the last oS release), AppArmor is your option under oS.

This wasn't, however, my understanding (which, as always, can be deeply flawed); I understood that when Novell stopped being the primary project sponsor behind AppArmor*, the choice between AppArmor and SELinux had become entirely a user choice. Looking at the Security Guide, however, there is no mention of SELinux and only AppArmor is described. This implies that AppArmor is the default, and while SE might be possible, it is not supported in the '...and here is the documentation...' sense of supported.

And, BTFW, where the previous 'Software Search' gave away the information as to whether the target package was an 'official' package or a 'personal project', the new version has been 'improved' to the point that I no longer know how to do this, so I can't comment on whether the SELinux packages have the same status (but without the same level of documentation, obviously) or not as the AppArmor packages. Progress! It isn't an unambiguous good, is it?

* I believe that Novell decided (or claimed, if you wish to spin it that way) that the 'heavy lifting' on AppArmor had been done, the sponsorship was no longer needed, and the project could be now allowed to roam free. I am massively unclear how this might play with any different set of priorities that Attachmate might now have, and I don't think that I care, although maybe I should.