Next Meeting

Darin Perusich Darin.Perusich at cognigencorp.com
Thu Apr 15 08:19:45 EDT 2004


selinux is the linux equivalent of Trusted Solaris. it gives you the 
ability to remove the all powerful root account and makes it a normal 
user, gives you super granular control over all aspects of the system. 
i looked into a year or so ago and found it to be crazy overkill, unless 
you're doing super secret government or corporate stuff.

i feel that you can reasonably secure a system using chroot(), non-root 
users for daemons, ip tables, etc. for everyday stuff like dns, apache, 
sendmail/postfix. playing this selinux would definetly be a great 
learning experience.

TheCactusKid Cactus wrote:
> SELinux sounds like something I surely would be interested in! Let us in 
> on it! What is it all about and when is it due to be released?
>  
> tHecActUsKid:)
> 
> */"Kevin E. Glosser" <keg at adelphia.net>/* wrote:
> 
>     On Sat, 2004-04-10 at 10:36, Joshua R. Altemoos wrote:
>      > I plan to come to the next meeting on the 18th and i wanted to
>     know is there any
>      > topics anyone are going to discuss??
> 
>     I got one to throw out for you guys...
> 
>     SELinux
> 
>     Only recently did I become aware of it's existence. It sounds very
>     interesting and whether or not you care for it, it appears to be headed
>     to a linux distro near you.
> 
>     Although, I know not which distro's intend to incorporate it. I do know,
>     Fedora/Redhat are already working on it. I discovered this when I
>     decided to try Fedora Core 2(test 2).
> 
>     Fedora Core 2 is being used as a test bed for a future Redhat release.
>     New in FC2...
> 
>     1) SELinux
>     2) 2.6 kernel
> 
>     So what is SELinux?
> 
>     Security Enhanced Linux (developed by the NSA)
> 
>     from the SELinux FAQ...
> 
>     "The Security-enhanced Linux kernel enforces mandatory access control
>     policies that confine user programs and system servers to the minimum
>     amount of privilege they require to do their jobs. When confined in this
>     way, the ability of these user programs and system daemons to cause harm
>     when compromised (via buffer overflows or misconfigurations, for
>     example) is reduced or eliminated. This confinement mechanism operates
>     independently of the traditional Linux access control mechanisms. It has
>     no concept of a "root" super-user, and does t share the well-known
>     shortcomings of the traditional Linux security mechanisms (such as a
>     dependence on setuid/setgid binaries)."
> 
>     more info...
> 
>     Fedora... http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
> 
>     NSA... http://www.nsa.gov/selinux/
> 
>     KEG
> 
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Tax Center - File online by April 15th 
> <http://taxes.yahoo.com/filing.html>

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corp.
darinper at cognigencorp.com





More information about the nflug mailing list