LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-04-2008, 12:10 AM   #1
okos
Member
 
Registered: May 2007
Location: California
Distribution: Slackware/Ubuntu
Posts: 609

Rep: Reputation: 37
Questions about selinux on slackware


Hi
I have not installed selinux but I was considering.
I have a few questions and was wondering if any of you guys could answer.

1. I have a family network of three computes on a wireless router, should I be using selinux? Or Is it more geared towards the corporate structure? I also download alot of programs.

2. I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.

3. Is it very intrusive and inhibiting. Will I have to change selinux everytime I install programs from source? Will it cause alot of problems running software?

4. What is pam? I read two forums where they want selinux but without pam.

5. Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?

6. Is there other similar security software that seems to be more user friendly and compatible with slackware?

Last edited by okos; 03-04-2008 at 12:11 AM.
 
Old 03-04-2008, 02:13 AM   #2
askalon9f2
LQ Newbie
 
Registered: Feb 2008
Location: Antwerp, Belgium
Distribution: Slackware 12.2, slamd64 12.1
Posts: 18

Rep: Reputation: 0
In answer to 6. : you could use open source tripwire http://sourceforge.net/projects/tripwire/

Regards,
 
Old 03-05-2008, 09:51 AM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
What are you trying to accomplish? -- I/we could advise you better if we knew the Q behind the Q.

I have several friends who use Fedora & they seem to disable it because it is such a PITA. BTW, trying to put it on Slack seems ill-advised: (from http://en.wikipedia.org/wiki/Selinux#Implementations):
Quote:
There was some work to provide SELinux packages for SUSE [3] and Slackware [4], but development seems to have stopped (the files are old).

Some "random" links I looked at:
 
Old 03-05-2008, 11:24 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by okos View Post
I have a family network of three computes on a wireless router, should I be using selinux? Or Is it more geared towards the corporate structure? I also download alot of programs.
No, SELinux is all-purpose. Being "shielded" inside a LAN and not (running accessable or) exposing any services to hostile networks can be considered mitigating. Properly hardening a machine should always be considered a standard practice.


Quote:
Originally Posted by okos View Post
I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.
That does seem to be the fact at this moment. Unfortunately. Compiling the kernel isn't the only thing you need to do: utilities need to be SELinux-aware too.


Quote:
Originally Posted by okos View Post
Is it very intrusive and inhibiting. Will I have to change selinux everytime I install programs from source? Will it cause alot of problems running software?
Until you've ran it on a recent, maintained and supported distribution that has SELinux enabled out of the box, I find "very intrusive and inhibiting" is just another opinion (to keep or change, the choice is yours).


Quote:
Originally Posted by okos View Post
What is pam? I read two forums where they want selinux but without pam.
PAM is the TLA of "Pluggable Authentication Modules". It provides you with a unified authentication interface for both local and remote auth ops. AFAIK Slackware is the only GNU/Linux distribution that does not use PAM, the one man reason for that is:
Quote:
Originally Posted by Patrick Volkerding
"I think a better name for PAM might be SCAM, for Swiss Cheese Authentication Modules, and have never felt that the small amount of convenience it provides is worth the great loss of system security."
...which illustrates (...). Anyway, Slackware can run PAM (see Dropline).


Quote:
Originally Posted by okos View Post
Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?
The current default shipped Policy called "targeted" (in laymans terms) hardens mostly the outside, the inside remaining chewy ;-p And no, there's no problems working around that using tools to relabel entities and adjust the local policy.


Quote:
Originally Posted by okos View Post
Is there other similar security software that seems to be more user friendly and compatible with slackware?
The only in-kernel equivalents are kernel patches like GRSecurity or LIDS. They're different. You'll find patching the kernel and running GRSecurity (even without RBAC) will be a good start for having a rather well-protected system but you should still consider hardening the system properly.



Quote:
Originally Posted by archtoad6 View Post
I have several friends who use Fedora & they seem to disable it because it is such a PITA.
What does that prove? As I already said in another thread there is no realistic equivalent in the GNU/Linux world that is maintained and supported, gains adaptation and helps distributions get EAL certified like SELinux. On the practical side of things SELinux has mitigated security risks. So for both reasons it is worthwhile enabling if you have it. So go tell your friends.

Last edited by unSpawn; 03-05-2008 at 11:26 AM.
 
Old 03-05-2008, 11:57 AM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Perhaps I should have mentioned that the friends are professional Linux consultants. So I guess it proves that however valuable it is, it's got a major (?) learning curve.

Of course those who are using it successfully may not have complained. I'll try to re-survey tonight at the HLUG weekly Workshop.

Serious Q: If SELinux is so good, which firewall distros have adopted it. -- AFAIK, not SmoothWall Express or IPCop.

For that matter, I see no sign of Tripwire, Samhain, chkrootkit, or rkhunter in SmoothWall Express & this worries me.
 
Old 03-05-2008, 01:29 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,965
Blog Entries: 11

Rep: Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865
Quote:
Originally Posted by archtoad6 View Post
Perhaps I should have mentioned that the friends are professional Linux consultants. So I guess it proves that however valuable it is, it's got a major (?) learning curve.
So does using Linux if you started on a Mac or Windows machine.
Maybe it proves that consultants are lazy and stupid? ;D



Cheers,
Tink
 
Old 03-05-2008, 02:03 PM   #7
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Or busy
 
Old 03-05-2008, 06:36 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by archtoad6 View Post
If SELinux is so good, which firewall distros have adopted it. -- AFAIK, not SmoothWall Express or IPCop.
For that matter, I see no sign of Tripwire, Samhain, chkrootkit, or rkhunter in SmoothWall Express & this worries me.
Apologies to the OP, we shouldn't derail this thread. I don't know which firewall distributions do and I'd argue it should matter less since a firewall device is (or should be) a hardened single purpose device, not lighting up on the "hostile" side with services like a Christmas tree.
 
Old 03-05-2008, 07:45 PM   #9
okos
Member
 
Registered: May 2007
Location: California
Distribution: Slackware/Ubuntu
Posts: 609

Original Poster
Rep: Reputation: 37
Thanks for the great info and the little debate .

I am pretty new to linux and I want to better secure my system. Having read quite a bit about selinux, it seems that it is only as good as it is set up. In a nutshell, it seems that selinux is based on examining every file and process. I guess I would have to tell selinux, in lay mans terms, how to look at each and every file and process. Setting it up seems to be way too much work.

So.....

Having read some of the selinux papers, there seem to be flaws with the use chmod command, giving hackers, poorly written software, and hostel software root access.

What should I do to "harden" my system. Your expert opinions would be much appreciated.

I have a dell inspiron 5150 with a dual boot. xp/slackware 12.

Thanks

Last edited by okos; 03-05-2008 at 07:47 PM.
 
Old 03-05-2008, 11:52 PM   #10
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,749

Rep: Reputation: 461Reputation: 461Reputation: 461Reputation: 461Reputation: 461
There used to be a guide and script around -try googling for 'harden slackware'.
 
Old 03-06-2008, 04:51 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by okos View Post
Having read quite a bit about selinux, it seems that it is only as good as it is set up.
True, but that goes for everything.


Quote:
Originally Posted by okos View Post
In a nutshell, it seems that selinux is based on examining every file and process. I guess I would have to tell selinux, in lay mans terms, how to look at each and every file and process.
SELinux works on top of DAC. So if access restrictions deny access then SELinux doesn't need to look further for a "decision".


Quote:
Originally Posted by okos View Post
Setting it up seems to be way too much work.
An unsatisfactory but realistic outcome. It does place the work of maintainers and distro's that provide out of the box GRSecurity (Gentoo) or SELinux (you know) in a different light I think.


Quote:
Originally Posted by okos View Post
Having read some of the selinux papers, there seem to be flaws with the use chmod command, giving hackers, poorly written software, and hostel software root access.
Post the URI's for that please because (with all due respect) it sounds like FUD.
 
Old 03-06-2008, 05:29 PM   #12
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.0
Posts: 2,242

Rep: Reputation: 614Reputation: 614Reputation: 614Reputation: 614Reputation: 614Reputation: 614
gnashley, is this what you were talking about: http://www.cochiselinux.org/files/sy...ening-10.2.txt ? (For 10.2, but may work -- haven't looked into it). Also see here: http://www.antionline.com/showthread.php?p=936777 (all by googling).
 
Old 03-06-2008, 10:41 PM   #13
okos
Member
 
Registered: May 2007
Location: California
Distribution: Slackware/Ubuntu
Posts: 609

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by unSpawn View Post
Post the URI's for that please because (with all due respect) it sounds like FUD.
Over the last week I googled dozens of links regarding selinux. Including reading the papers on the nsa web site. I searched my history and can't find the specific articles. I believe I read it on the nsa website and one other place.

If I find it Ill let you know.
 
Old 03-09-2008, 06:26 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by okos View Post
Over the last week I googled dozens of links regarding selinux. Including reading the papers on the nsa web site. I searched my history and can't find the specific articles. I believe I read it on the nsa website and one other place.

If I find it Ill let you know.
Thanks. While SELinux kernel code, policies and userland applications are all created by people (and therefore subject to human errors) I don't think you can find a document on that that applies to any recent version of SELinux kernel code (a query of the CVE should show flaws in SELinux itself) or policies and it more likely was a case with misconfigured software or a malformed policy or something like that. In the meanwhile please retract your statement as it's currently unfounded and therefore, with all due respect, equal to spreading FUD.

We can not have that here.
 
Old 03-09-2008, 02:28 PM   #15
okos
Member
 
Registered: May 2007
Location: California
Distribution: Slackware/Ubuntu
Posts: 609

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by unSpawn View Post
Thanks. While SELinux kernel code, policies and userland applications are all created by people (and therefore subject to human errors) I don't think you can find a document on that that applies to any recent version of SELinux kernel code (a query of the CVE should show flaws in SELinux itself) or policies and it more likely was a case with misconfigured software or a malformed policy or something like that.
We are saying much the same thing. I should have been more careful in my wording. I meant to say, files can be misconfigured by those who have root access with the use of chown and chmod tools which can lead to vulnerabilities. Though the terms chmod and chown are not used, the terms "identity and ownership" are in the article.


You can read this link from NSA.

Quote:
DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over his objects, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's objects, so no protection is provided against malicious software. Typically, only two major categories of users are supported by DAC mechanisms, completely trusted administrators and completely untrusted ordinary users. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.
I meant no harm. I think most people at LQ seem to have a genuine intent to help and learn.

I appreciate your help in pointing out my mistake. You are obviously much more knowledgeable on the linux os and computer security.

Last edited by okos; 03-09-2008 at 02:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 03:36 AM
selinux and slackware mjgreen Slackware 3 09-09-2008 09:37 PM
Few questions about Slackware 10.0 sklitzz Slackware 4 11-21-2006 02:06 PM
SELinux and Slackware 2.6.14. Is it installed by default? Mainframe Linux - Security 1 11-11-2005 10:10 AM
A few slackware 9 questions lhiggins Slackware 2 07-18-2003 03:15 AM


All times are GMT -5. The time now is 03:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration