On Sun, 9 Mar 2003 23:59, Daniel Carrera wrote: > I want to try to learn one of the LSM modules, but I have little > clue as to which one I should pick. Firstly, I am going to specifically avoid SE advocacy on this list. Feel free to ask me, Stephen Smalley <sdsat_private>, or Peter Loscocco <palat_private> privately for such information, or ask on the SE Linux list. > I've read a couple of papers explaining SELinux and its model of MAC. > I was very impressed and I'm leaning towards this one. However, I'm > concerned that it's only a research project. Is SELinux meant for > production systems? or is it just a proof of concept? > In other words, is SELinux a good option? SE Linux is being used for production systems. The main servers for two small Internet companies in Australia are running SE Linux, and all the machines I own run it. I am involved in preliminary talks with some large companies (large enough that anyone who reads newspapers would instantly recognise their names) that are considering using SE Linux for production servers. I am also being paid to do some SE Linux work, but the work I am being paid for is research type work and probably wouldn't count according to your criteria. The transition between 2.4.x kernels and 2.6.x will probably be painful for SE Linux users. But most of the problems concern system calls and will hit LIDS and DTE just as badly. > As for the others (DTE, Openwall, LIDS, POSIX capabilities), are they > comparable in security to SELinux? DTE has similar concepts and aims to SE Linux (I don't want to say more on this list). POSIX capabilities are very limited, and as far as I understand it this is the same as what you get in a standard Linux kernel, it's only a separate module for the LSM patch (someone please correct me if I am wrong). OpenWall just limits who can do "ps aux" and see all processes, has stack smashing protection, makes sure that file handles 0, 1, and 2 are open for SUID binaries, and restricts creation of links in directories with the tag bit. It's very useful for good basic protection of a system with minimal effort. SE Linux allows much stricter limits on what processes can do. The OpenWall philosophy is to have a few small patches to the kernel for particularly risky cases, and to have well audited code running with minimal privs. The SE Linux philosophy is to lock down all processes as much as possible and deny a process everything that it doesn't really need, it doesn't matter if a daemon has unnecessary root access, that doesn't allow it to do any damage. I don't know enough about LIDS to comment on it at all. To give you an example of what SE Linux can do, see the following URL for details of my play machine. On my play machine SE Linux is used to provide all security for the machine, even as root you can't do any damage. http://www.coker.com.au/selinux/play.html Please note, it is not recommended to run a serious server in such a manner. But this is a good test of SE Linux policy (several important policy improvements have derived from it), and it is a good demonstration of what SE Linux can do. > I am very interested in bringing the security of my Linux system > beyond the traditional super-user model. If I only have time to learn > one ofthese systems, which one should I go for? I suggest that one factor to influence your decision should be the amount of support you'll get. There is an active SE Linux IRC channel where you can ask questions at any time of the day or night. Most people on the channel are not watching IRC all the time, it may take 30-60 minutes to get a response. Several time zones are covered. The SE Linux mailing list is reasonably active and questions tend to be answered quickly (except for the really hard questions which only get answered during business hours in the US). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 13:40:38 PST