|
-
March 4th, 2008, 02:18 PM
#3
Hi
Well written post - it's a pleasure to try to answer your questions.
In short:
1) You don't need selinux. It's geared towards environments with the
the need for mandatory access controls[1].
2) If you really want to play with selinux, there is excellent support
with Fedora Core (and others, I guess).
3) I don't know, but probably.
4) PAM can be run with selinux, but needs a specific module (pam_selinux.so).
PAM and selinux are orthogonal (see below)!
5) Yes.
More lengthy answer:
Selinux provides mandatory access control to an operating system.
Windows and *nix usually come with discretionary access control[2],
which suits perfectly the requirements of most installations.
Supporting MAC in your environment is like breaking a butterfly on a wheel.
I did set up selinux on a bastion host[3] - compartmentalization of applications
makes perfectly sense, but really is work. Here, however, I recommend the
usual linux-hardening steps ("How to secure harden Slackware filetype:pdf")
I want to mention that the selinux-kernel extension does not provide a
reference monitor[4] to the operating system (I read that one somewhere).
selinux-enforcement can be disabled (setenforce 0) and thus
does not fulfill the definition of a reference monitor.
PAM[5] is a mechanism to integrate multiple authentication schemes
into some public interface that can be used by developers in order to
simplify the implementation of their authentication functionality.
In order to run PAM with selinux, you need an specific module (pam_selinux.so),
which comes with Fedora Core out-of-the-box. Actually, this is a good
opportunity to refer to triple-A[6].
I just found this tutorial[7]. Skimming through it, it makes a good
impression.
/edit:
Just a recommendation: If you like to play around with computers,
consider installing VMWare Server (works perfectly with Windows XP).
It's free and allows running virtual computers.
Cheers
[1] http://en.wikipedia.org/wiki/Mandatory_access_control
[2] http://en.wikipedia.org/wiki/Discret...access_control
[3] http://antionline.com/showthread.php?t=270999
[4] http://en.wikipedia.org/wiki/Reference_monitor
[5] http://en.wikipedia.org/wiki/Pluggab...cation_Modules
[6] http://en.wikipedia.org/wiki/AAA_protocol
[7] http://linux.0ms.eu/?p=13237
Last edited by sec_ware; March 4th, 2008 at 02:29 PM.
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Similar Threads
-
By pwaring in forum Other Tutorials Forum
Replies: 60
Last Post: October 22nd, 2004, 09:15 PM
-
By moonstar550 in forum AntiOnline's General Chit Chat
Replies: 10
Last Post: April 10th, 2004, 02:03 AM
-
By al1aprize in forum Spyware / Adware
Replies: 23
Last Post: March 15th, 2004, 01:24 AM
-
By valhallen in forum Newbie Security Questions
Replies: 7
Last Post: October 6th, 2003, 09:41 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote