I intent to start using fedora for that extra boost of security. I did some reading but I lost in the complexity of the SElinux.

If I understood correctly, audit2allow will allow whatever that program wants, which does not sound very secure. But I don't (yet) have the skill to manually edit the SE rules, so I will end up using it alot.

>First question is, do you think "linux+SElinux+(lots of allow2audited software)" will make a worse security than plain linux?

>I know third party repos aren't security wise but I need mp3 and unrar from rpmfusion. What will happen if stuff I downloaded comes without any sepolicy, will selinux allow it wreak havoc or block it completely?

> What do you thinkg about fedora gui tools for policy management?

SELinux (Mandatory Access Controls) works on top of DAC (Discretionary Access Controls aka "ownership and permissions") so MAC can only enhance security. Regardless of that reviewing rules before using them should be done. Just post them if unsure.


MP3 OK but I do not know of *any* Free or Open Source Software that requires RAR to unpack. (Commonly the compression format is associated with warezed stuff so if you don't do illegal or shady D/Ls then you wouldn't need it anyway. Regardless of that discussion there is a "p7zip-rar" extraction module for the p7zip package.) Default "targeted" SELinux policy is a kind of "outside-in" policy: providing an extra layer of hardening for running (networked) services but leaving local users free to run things (or "unconfined" in SELinux-speek). Hence you wouldn't have any problems running that kind of software unless it tries to access entities restricted by the policy. In that case creating rules and reviewing them carefully before using them may alleviate trouble.


I have no opinion as as I prefer the command line and only a GUI tool to create policies for new services.

1 members found this post helpful.

Thanks that was the most helpful post ever!

I'm definitely going to SElinux.
Can you advice me a good reading to get me started?
How long does it takes to learn selinux?

Actually the Fedora website has SELinux pretty much documented well: index, FAQ and the Fedora SELinux User Guide. Do read but don't try to take it all in: pace things, look them up as you go slash need answers.


Heh, I'm not the right person to ask. I haven't mastered it and I only know what I need to know (OK, a *wee* bit more ;p).

actually that is the very level of mastery I'm targeting.

You should find chap 43 here pretty comprehensive http://www.linuxtopia.org/online_boo...ion/index.html