Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I intent to start using fedora for that extra boost of security. I did some reading but I lost in the complexity of the SElinux.
If I understood correctly, audit2allow will allow whatever that program wants, which does not sound very secure. But I don't (yet) have the skill to manually edit the SE rules, so I will end up using it alot.
>First question is, do you think "linux+SElinux+(lots of allow2audited software)" will make a worse security than plain linux?
>I know third party repos aren't security wise but I need mp3 and unrar from rpmfusion. What will happen if stuff I downloaded comes without any sepolicy, will selinux allow it wreak havoc or block it completely?
> What do you thinkg about fedora gui tools for policy management?
If I understood correctly, audit2allow will allow whatever that program wants, which does not sound very secure. But I don't (yet) have the skill to manually edit the SE rules, so I will end up using it alot. >First question is, do you think "linux+SElinux+(lots of allow2audited software)" will make a worse security than plain linux?
SELinux (Mandatory Access Controls) works on top of DAC (Discretionary Access Controls aka "ownership and permissions") so MAC can only enhance security. Regardless of that reviewing rules before using them should be done. Just post them if unsure.
Quote:
Originally Posted by JonJAN
>I know third party repos aren't security wise but I need mp3 and unrar from rpmfusion. What will happen if stuff I downloaded comes without any sepolicy, will selinux allow it wreak havoc or block it completely?
MP3 OK but I do not know of *any* Free or Open Source Software that requires RAR to unpack. (Commonly the compression format is associated with warezed stuff so if you don't do illegal or shady D/Ls then you wouldn't need it anyway. Regardless of that discussion there is a "p7zip-rar" extraction module for the p7zip package.) Default "targeted" SELinux policy is a kind of "outside-in" policy: providing an extra layer of hardening for running (networked) services but leaving local users free to run things (or "unconfined" in SELinux-speek). Hence you wouldn't have any problems running that kind of software unless it tries to access entities restricted by the policy. In that case creating rules and reviewing them carefully before using them may alleviate trouble.
Quote:
Originally Posted by JonJAN
> What do you thinkg about fedora gui tools for policy management?
I have no opinion as as I prefer the command line and only a GUI tool to create policies for new services.
Can you advice me a good reading to get me started?
Actually the Fedora website has SELinux pretty much documented well: index, FAQ and the Fedora SELinux User Guide. Do read but don't try to take it all in: pace things, look them up as you go slash need answers.
Quote:
Originally Posted by JonJAN
How long does it takes to learn selinux?
Heh, I'm not the right person to ask. I haven't mastered it and I only know what I need to know (OK, a *wee* bit more ;p).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.