Questions about selinux on slackware
 

Hi
I have not installed selinux but I was considering.
I have a few questions and was wondering if any of you guys could answer.

1. I have a family network of three computes on a wireless router, should I be using selinux? Or Is it more geared towards the corporate structure? I also download alot of programs.

2. I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.

3. Is it very intrusive and inhibiting. Will I have to change selinux everytime I install programs from source? Will it cause alot of problems running software?

4. What is pam? I read two forums where they want selinux but without pam.

5. Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?

6. Is there other similar security software that seems to be more user friendly and compatible with slackware?

In answer to 6. : you could use open source tripwire http://sourceforge.net/projects/tripwire/

Regards,

What are you trying to accomplish? -- I/we could advise you better if we knew the Q behind the Q.

I have several friends who use Fedora & they seem to disable it because it is such a PITA. BTW, trying to put it on Slack seems ill-advised: (from http://en.wikipedia.org/wiki/Selinux#Implementations):
Some "random" links I looked at:

• http://en.wikipedia.org/wiki/Selinux
• http://en.wikipedia.org/wiki/Open_Source_Tripwire
• http://en.wikipedia.org/wiki/Host-ba...tection_system
• http://en.wikipedia.org/wiki/Intrusion_detection_system
• http://en.wikipedia.org/wiki/Samhain_(software)

No, SELinux is all-purpose. Being "shielded" inside a LAN and not (running accessable or) exposing any services to hostile networks can be considered mitigating. Properly hardening a machine should always be considered a standard practice.


That does seem to be the fact at this moment. Unfortunately. Compiling the kernel isn't the only thing you need to do: utilities need to be SELinux-aware too.


Until you've ran it on a recent, maintained and supported distribution that has SELinux enabled out of the box, I find "very intrusive and inhibiting" is just another opinion (to keep or change, the choice is yours).


PAM is the TLA of "Pluggable Authentication Modules". It provides you with a unified authentication interface for both local and remote auth ops. AFAIK Slackware is the only GNU/Linux distribution that does not use PAM, the one man reason for that is:
...which illustrates (...). Anyway, Slackware can run PAM (see Dropline).


The current default shipped Policy called "targeted" (in laymans terms) hardens mostly the outside, the inside remaining chewy ;-p And no, there's no problems working around that using tools to relabel entities and adjust the local policy.


The only in-kernel equivalents are kernel patches like GRSecurity or LIDS. They're different. You'll find patching the kernel and running GRSecurity (even without RBAC) will be a good start for having a rather well-protected system but you should still consider hardening the system properly.



What does that prove? As I already said in another thread there is no realistic equivalent in the GNU/Linux world that is maintained and supported, gains adaptation and helps distributions get EAL certified like SELinux. On the practical side of things SELinux has mitigated security risks. So for both reasons it is worthwhile enabling if you have it. So go tell your friends.

Perhaps I should have mentioned that the friends are professional Linux consultants. So I guess it proves that however valuable it is, it's got a major (?) learning curve.

Of course those who are using it successfully may not have complained. I'll try to re-survey tonight at the HLUG weekly Workshop.

Serious Q: If SELinux is so good, which firewall distros have adopted it. -- AFAIK, not SmoothWall Express or IPCop.

For that matter, I see no sign of Tripwire, Samhain, chkrootkit, or rkhunter in SmoothWall Express & this worries me.

So does using Linux if you started on a Mac or Windows machine.
Maybe it proves that consultants are lazy and stupid? ;D



Cheers,
Tink

Or busy :D

Apologies to the OP, we shouldn't derail this thread. I don't know which firewall distributions do and I'd argue it should matter less since a firewall device is (or should be) a hardened single purpose device, not lighting up on the "hostile" side with services like a Christmas tree.

Thanks for the great info and the little debate ;).

I am pretty new to linux and I want to better secure my system. Having read quite a bit about selinux, it seems that it is only as good as it is set up. In a nutshell, it seems that selinux is based on examining every file and process. I guess I would have to tell selinux, in lay mans terms, how to look at each and every file and process. Setting it up seems to be way too much work.

So.....

Having read some of the selinux papers, there seem to be flaws with the use chmod command, giving hackers, poorly written software, and hostel software root access.

What should I do to "harden" my system. Your expert opinions would be much appreciated.

I have a dell inspiron 5150 with a dual boot. xp/slackware 12.

Thanks

There used to be a guide and script around -try googling for 'harden slackware'.

True, but that goes for everything.


SELinux works on top of DAC. So if access restrictions deny access then SELinux doesn't need to look further for a "decision".


An unsatisfactory but realistic outcome. It does place the work of maintainers and distro's that provide out of the box GRSecurity (Gentoo) or SELinux (you know) in a different light I think.


Post the URI's for that please because (with all due respect) it sounds like FUD.

gnashley, is this what you were talking about: http://www.cochiselinux.org/files/sy...ening-10.2.txt ? (For 10.2, but may work -- haven't looked into it). Also see here: http://www.antionline.com/showthread.php?p=936777 (all by googling).

Over the last week I googled dozens of links regarding selinux. Including reading the papers on the nsa web site. I searched my history and can't find the specific articles. I believe I read it on the nsa website and one other place.

If I find it Ill let you know.

Thanks. While SELinux kernel code, policies and userland applications are all created by people (and therefore subject to human errors) I don't think you can find a document on that that applies to any recent version of SELinux kernel code (a query of the CVE should show flaws in SELinux itself) or policies and it more likely was a case with misconfigured software or a malformed policy or something like that. In the meanwhile please retract your statement as it's currently unfounded and therefore, with all due respect, equal to spreading FUD.

We can not have that here.

We are saying much the same thing. I should have been more careful in my wording. I meant to say, files can be misconfigured by those who have root access with the use of chown and chmod tools which can lead to vulnerabilities. Though the terms chmod and chown are not used, the terms "identity and ownership" are in the article.


You can read this link from NSA.

I meant no harm. I think most people at LQ seem to have a genuine intent to help and learn.

I appreciate your help in pointing out my mistake. You are obviously much more knowledgeable on the linux os and computer security.