Re: Which module is "best"?

From: Russell Coker (russellat_private)
Date: Mon Mar 10 2003 - 13:40:02 PST

  • Next message: Crispin Cowan: "Re: Which module is "best"?"

    On Sun, 9 Mar 2003 23:59, Daniel Carrera wrote:
    > I want to try to learn one of the LSM modules, but I have little
    > clue as to which one I should pick.
    Firstly, I am going to specifically avoid SE advocacy on this list.  Feel free 
    to ask me, Stephen Smalley <sdsat_private>, or Peter Loscocco 
    <palat_private> privately for such information, or ask on the SE Linux 
    > I've read a couple of papers explaining SELinux and its model of MAC.
    > I was very impressed and I'm leaning towards this one.  However, I'm
    > concerned that it's only a research project.  Is SELinux meant for
    > production systems? or is it just a proof of concept?
    > In other words, is SELinux a good option?
    SE Linux is being used for production systems.  The main servers for two small 
    Internet companies in Australia are running SE Linux, and all the machines I 
    own run it.  I am involved in preliminary talks with some large companies 
    (large enough that anyone who reads newspapers would instantly recognise 
    their names) that are considering using SE Linux for production servers.
    I am also being paid to do some SE Linux work, but the work I am being paid 
    for is research type work and probably wouldn't count according to your 
    The transition between 2.4.x kernels and 2.6.x will probably be painful for SE 
    Linux users.  But most of the problems concern system calls and will hit LIDS 
    and DTE just as badly.
    > As for the others (DTE, Openwall, LIDS, POSIX capabilities), are they
    > comparable in security to SELinux?
    DTE has similar concepts and aims to SE Linux (I don't want to say more on 
    this list).
    POSIX capabilities are very limited, and as far as I understand it this is the 
    same as what you get in a standard Linux kernel, it's only a separate module 
    for the LSM patch (someone please correct me if I am wrong).
    OpenWall just limits who can do "ps aux" and see all processes, has stack 
    smashing protection, makes sure that file handles 0, 1, and 2 are open for 
    SUID binaries, and restricts creation of links in directories with the tag 
    bit.  It's very useful for good basic protection of a system with minimal 
    effort.  SE Linux allows much stricter limits on what processes can do.  The 
    OpenWall philosophy is to have a few small patches to the kernel for 
    particularly risky cases, and to have well audited code running with minimal 
    privs.  The SE Linux philosophy is to lock down all processes as much as 
    possible and deny a process everything that it doesn't really need, it 
    doesn't matter if a daemon has unnecessary root access, that doesn't allow it 
    to do any damage.
    I don't know enough about LIDS to comment on it at all.
    To give you an example of what SE Linux can do, see the following URL for 
    details of my play machine.  On my play machine SE Linux is used to provide 
    all security for the machine, even as root you can't do any damage.
    Please note, it is not recommended to run a serious server in such a manner.  
    But this is a good test of SE Linux policy (several important policy 
    improvements have derived from it), and it is a good demonstration of what SE 
    Linux can do.
    > I am very interested in bringing the security of my Linux system
    > beyond the traditional super-user model.  If I only have time to learn
    > one ofthese systems, which one should I go for?
    I suggest that one factor to influence your decision should be the amount of 
    support you'll get.
    There is an active SE Linux IRC channel where you can ask questions at any 
    time of the day or night.  Most people on the channel are not watching IRC 
    all the time, it may take 30-60 minutes to get a response.  Several time 
    zones are covered.
    The SE Linux mailing list is reasonably active and questions tend to be 
    answered quickly (except for the really hard questions which only get 
    answered during business hours in the US).
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 13:40:38 PST