Re: Which module is "best"?

• Previous message: Crispin Cowan: "Re: Which module is "best"?"
• In reply to: Daniel Carrera: "Which module is "best"?"
• Next in thread: Russell Coker: "Re: Which module is "best"?"
• Reply: Russell Coker: "Re: Which module is "best"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Daniel Carrera (dcarreraat_private) wrote:
> Hello,
> 
> I want to try to learn one of the LSM modules, but I have little 
> clue as to which one I should pick.
> 
> I've read a couple of papers explaining SELinux and its model of MAC.    
> I was very impressed and I'm leaning towards this one.  However, I'm
> concerned that it's only a research project.  Is SELinux meant for
> production systems? or is it just a proof of concept?
> In other words, is SELinux a good option?

I wouldn't classify SELinux[1] as just a research project.  There is a
debian project that helps provide some basic policy definitions to help
secure a production type system[2].

> As for the others (DTE, Openwall, LIDS, POSIX capabilities), are they
> comparable in security to SELinux?

DTE provides a different configuration language and a subset of the
SELinux functionality, however the type enforcement scheme (at the
file level) is really similar to SELinux.  Take a look at the DTE site
for better information[3].  LIDS has an ACL system that allows you to
confine programs in a way that feels similar to type enforcement.  It also
provides support for expressing capabilities, and it has an ipchains-like
admin interface which makes it fairly easy to use.  The FAQ shows a
lot of sample setups[4].  Openwall and Capabilities provide limited
protection, and require the least user/admin configuration (read: none).
They provide a nice complement to a fuller-featured MAC system.

> I am very interested in bringing the security of my Linux system 
> beyond the traditional super-user model.  If I only have time to learn 
> one ofthese systems, which one should I go for?

Take a look at the links and draw you own conclusion.  Each has its
strengths and weaknesses.

cheers,
-chris

[1] http://www.nsa.gov/selinux/
[2] http://www.coker.com.au/selinux/
[3] http://www.cs.wm.edu/~hallyn/dte/
[4] http://www.lids.org/lids-faq/LIDS-FAQ-7.html
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Russell Coker: "Re: Which module is "best"?"
• Previous message: Crispin Cowan: "Re: Which module is "best"?"
• In reply to: Daniel Carrera: "Which module is "best"?"
• Next in thread: Russell Coker: "Re: Which module is "best"?"
• Reply: Russell Coker: "Re: Which module is "best"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 13:54:57 PST