SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
I have not installed selinux but I was considering.
I have a few questions and was wondering if any of you guys could answer.
1. I have a family network of three computes on a wireless router, should I be using selinux? Or Is it more geared towards the corporate structure? I also download alot of programs.
2. I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.
3. Is it very intrusive and inhibiting. Will I have to change selinux everytime I install programs from source? Will it cause alot of problems running software?
4. What is pam? I read two forums where they want selinux but without pam.
5. Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?
6. Is there other similar security software that seems to be more user friendly and compatible with slackware?
I have a family network of three computes on a wireless router, should I be using selinux? Or Is it more geared towards the corporate structure? I also download alot of programs.
No, SELinux is all-purpose. Being "shielded" inside a LAN and not (running accessable or) exposing any services to hostile networks can be considered mitigating. Properly hardening a machine should always be considered a standard practice.
Quote:
Originally Posted by okos
I was a little fearful that if I recompile my kernel with selinux that it will mess up my system. There does not seem to be much support for installing it on slackware.
That does seem to be the fact at this moment. Unfortunately. Compiling the kernel isn't the only thing you need to do: utilities need to be SELinux-aware too.
Quote:
Originally Posted by okos
Is it very intrusive and inhibiting. Will I have to change selinux everytime I install programs from source? Will it cause alot of problems running software?
Until you've ran it on a recent, maintained and supported distribution that has SELinux enabled out of the box, I find "very intrusive and inhibiting" is just another opinion (to keep or change, the choice is yours).
Quote:
Originally Posted by okos
What is pam? I read two forums where they want selinux but without pam.
PAM is the TLA of "Pluggable Authentication Modules". It provides you with a unified authentication interface for both local and remote auth ops. AFAIK Slackware is the only GNU/Linux distribution that does not use PAM, the one man reason for that is:
Quote:
Originally Posted by Patrick Volkerding
"I think a better name for PAM might be SCAM, for Swiss Cheese Authentication Modules, and have never felt that the small amount of convenience it provides is worth the great loss of system security."
...which illustrates (...). Anyway, Slackware can run PAM (see Dropline).
Quote:
Originally Posted by okos
Since selinux looks at every object (file) will I need to spend quite a bit of time setting it up to enable everything I am currently using as a user. In other words, will I run into lots of problems with lots of objects disabled?
The current default shipped Policy called "targeted" (in laymans terms) hardens mostly the outside, the inside remaining chewy ;-p And no, there's no problems working around that using tools to relabel entities and adjust the local policy.
Quote:
Originally Posted by okos
Is there other similar security software that seems to be more user friendly and compatible with slackware?
The only in-kernel equivalents are kernel patches like GRSecurity or LIDS. They're different. You'll find patching the kernel and running GRSecurity (even without RBAC) will be a good start for having a rather well-protected system but you should still consider hardening the system properly.
Quote:
Originally Posted by archtoad6
I have several friends who use Fedora & they seem to disable it because it is such a PITA.
What does that prove? As I already said in another thread there is no realistic equivalent in the GNU/Linux world that is maintained and supported, gains adaptation and helps distributions get EAL certified like SELinux. On the practical side of things SELinux has mitigated security risks. So for both reasons it is worthwhile enabling if you have it. So go tell your friends.
Perhaps I should have mentioned that the friends are professional Linux consultants. So I guess it proves that however valuable it is, it's got a major (?) learning curve.
Of course those who are using it successfully may not have complained. I'll try to re-survey tonight at the HLUG weekly Workshop.
Serious Q: If SELinux is so good, which firewall distros have adopted it. -- AFAIK, not SmoothWall Express or IPCop.
For that matter, I see no sign of Tripwire, Samhain, chkrootkit, or rkhunter in SmoothWall Express & this worries me.
Perhaps I should have mentioned that the friends are professional Linux consultants. So I guess it proves that however valuable it is, it's got a major (?) learning curve.
So does using Linux if you started on a Mac or Windows machine.
Maybe it proves that consultants are lazy and stupid? ;D
If SELinux is so good, which firewall distros have adopted it. -- AFAIK, not SmoothWall Express or IPCop.
For that matter, I see no sign of Tripwire, Samhain, chkrootkit, or rkhunter in SmoothWall Express & this worries me.
Apologies to the OP, we shouldn't derail this thread. I don't know which firewall distributions do and I'd argue it should matter less since a firewall device is (or should be) a hardened single purpose device, not lighting up on the "hostile" side with services like a Christmas tree.
I am pretty new to linux and I want to better secure my system. Having read quite a bit about selinux, it seems that it is only as good as it is set up. In a nutshell, it seems that selinux is based on examining every file and process. I guess I would have to tell selinux, in lay mans terms, how to look at each and every file and process. Setting it up seems to be way too much work.
So.....
Having read some of the selinux papers, there seem to be flaws with the use chmod command, giving hackers, poorly written software, and hostel software root access.
What should I do to "harden" my system. Your expert opinions would be much appreciated.
I have a dell inspiron 5150 with a dual boot. xp/slackware 12.
Having read quite a bit about selinux, it seems that it is only as good as it is set up.
True, but that goes for everything.
Quote:
Originally Posted by okos
In a nutshell, it seems that selinux is based on examining every file and process. I guess I would have to tell selinux, in lay mans terms, how to look at each and every file and process.
SELinux works on top of DAC. So if access restrictions deny access then SELinux doesn't need to look further for a "decision".
Quote:
Originally Posted by okos
Setting it up seems to be way too much work.
An unsatisfactory but realistic outcome. It does place the work of maintainers and distro's that provide out of the box GRSecurity (Gentoo) or SELinux (you know) in a different light I think.
Quote:
Originally Posted by okos
Having read some of the selinux papers, there seem to be flaws with the use chmod command, giving hackers, poorly written software, and hostel software root access.
Post the URI's for that please because (with all due respect) it sounds like FUD.
Post the URI's for that please because (with all due respect) it sounds like FUD.
Over the last week I googled dozens of links regarding selinux. Including reading the papers on the nsa web site. I searched my history and can't find the specific articles. I believe I read it on the nsa website and one other place.
Over the last week I googled dozens of links regarding selinux. Including reading the papers on the nsa web site. I searched my history and can't find the specific articles. I believe I read it on the nsa website and one other place.
If I find it Ill let you know.
Thanks. While SELinux kernel code, policies and userland applications are all created by people (and therefore subject to human errors) I don't think you can find a document on that that applies to any recent version of SELinux kernel code (a query of the CVE should show flaws in SELinux itself) or policies and it more likely was a case with misconfigured software or a malformed policy or something like that. In the meanwhile please retract your statement as it's currently unfounded and therefore, with all due respect, equal to spreading FUD.
Thanks. While SELinux kernel code, policies and userland applications are all created by people (and therefore subject to human errors) I don't think you can find a document on that that applies to any recent version of SELinux kernel code (a query of the CVE should show flaws in SELinux itself) or policies and it more likely was a case with misconfigured software or a malformed policy or something like that.
We are saying much the same thing. I should have been more careful in my wording. I meant to say, files can be misconfigured by those who have root access with the use of chown and chmod tools which can lead to vulnerabilities. Though the terms chmod and chown are not used, the terms "identity and ownership" are in the article.
DAC mechanisms are fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user has complete discretion over his objects, making it impossible to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's objects, so no protection is provided against malicious software. Typically, only two major categories of users are supported by DAC mechanisms, completely trusted administrators and completely untrusted ordinary users. Many system services and privileged programs must run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs can be exploited to obtain complete system access.
I meant no harm. I think most people at LQ seem to have a genuine intent to help and learn.
I appreciate your help in pointing out my mistake. You are obviously much more knowledgeable on the linux os and computer security.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.