How can I start SELinux play machine ?

Dominick Grift domg472 at gmail.com
Fri Feb 19 12:34:05 UTC 2010 

On 02/19/2010 01:29 PM, Shintaro Fujiwara wrote:
> 2010/2/19 Dominick Grift <domg472 at gmail.com>:
>> On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:
>>> Hi, I 'm ready to start SELinux server in my office first time, and I
>>> want to persuade everyone how safe the SELinux server is.
>>>
>>> How can I demonstrate administrators and my boss the advantage of
>>> SELinux comparing other servers?
>>>
>>> SELinux play machine hit me but is too far or should I just
>>> demonstrate in a certain ocassion for certain purpose?
>>
>> It depends a bit on your distro and policy model.
>>
>> But generally you can demonstrate how TE enforces integrity for targeted
>> system daemons.
>>
>> If you use strict policy you can also enforce integrity for user
>> processes. You can also demonstrate role based access control.
>>
>> You can demonstrate how MCS can be useful to restrict processes access
>> to objects.
>>
>> If you use MLS model you can demonstrate enforcement of confidentiality.
>>
>> I never actually connected to play machine but i gather it mapped the
>> root Linux login to the user_u SELinux user.
>>
> 
> Sounds great, bu if root became user_u, any other user should be id=0 ?

No, root linux login is id 0, and root is in the user_u SELinux user group.

So in practice you will end up with a restricted root.

> 
> 
>> There are a lot of ways to demonstrate SELinux. You could restrict a
>> simple hello world shell script and shows what happens if you extend the
>> script to make it do something it is not intended to do.
>>
>> Same goes for webapplications. You could write a webapp and make it do
>> something that SELinux policy does not allow it to do.
>>
>> Generally TE tries to prevent privilege escalation. It restricts processes.
>>
> 
> Yes, thanks, but I want to demonstrate how SELinux denies when web
> application's vulnerability exists.
> Say, it could not get root's priviladges.

In that case find or engineer a web application vulnerability and
demonstrate how SELinux is able to prevent privilege escalation.

>>> Thanks in advance.
>>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100219/43d03b51/attachment.bin

More information about the selinux mailing list