Re: Which module is "best"?

From: Chris Wright (chrisat_private)
Date: Mon Mar 10 2003 - 13:54:31 PST

  • Next message: Russell Coker: "Re: Which module is "best"?"

    * Daniel Carrera (dcarreraat_private) wrote:
    > Hello,
    > I want to try to learn one of the LSM modules, but I have little 
    > clue as to which one I should pick.
    > I've read a couple of papers explaining SELinux and its model of MAC.    
    > I was very impressed and I'm leaning towards this one.  However, I'm
    > concerned that it's only a research project.  Is SELinux meant for
    > production systems? or is it just a proof of concept?
    > In other words, is SELinux a good option?
    I wouldn't classify SELinux[1] as just a research project.  There is a
    debian project that helps provide some basic policy definitions to help
    secure a production type system[2].
    > As for the others (DTE, Openwall, LIDS, POSIX capabilities), are they
    > comparable in security to SELinux?
    DTE provides a different configuration language and a subset of the
    SELinux functionality, however the type enforcement scheme (at the
    file level) is really similar to SELinux.  Take a look at the DTE site
    for better information[3].  LIDS has an ACL system that allows you to
    confine programs in a way that feels similar to type enforcement.  It also
    provides support for expressing capabilities, and it has an ipchains-like
    admin interface which makes it fairly easy to use.  The FAQ shows a
    lot of sample setups[4].  Openwall and Capabilities provide limited
    protection, and require the least user/admin configuration (read: none).
    They provide a nice complement to a fuller-featured MAC system.
    > I am very interested in bringing the security of my Linux system 
    > beyond the traditional super-user model.  If I only have time to learn 
    > one ofthese systems, which one should I go for?
    Take a look at the links and draw you own conclusion.  Each has its
    strengths and weaknesses.
    Linux Security Modules
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 13:54:57 PST