How can I start SELinux play machine ?
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Fri Feb 19 12:41:27 UTC 2010
2010/2/19 Dominick Grift <domg472 at gmail.com>:
> On 02/19/2010 01:29 PM, Shintaro Fujiwara wrote:
>> 2010/2/19 Dominick Grift <domg472 at gmail.com>:
>>> On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:
>>>> Hi, I 'm ready to start SELinux server in my office first time, and I
>>>> want to persuade everyone how safe the SELinux server is.
>>>>
>>>> How can I demonstrate administrators and my boss the advantage of
>>>> SELinux comparing other servers?
>>>>
>>>> SELinux play machine hit me but is too far or should I just
>>>> demonstrate in a certain ocassion for certain purpose?
>>>
>>> It depends a bit on your distro and policy model.
>>>
>>> But generally you can demonstrate how TE enforces integrity for targeted
>>> system daemons.
>>>
>>> If you use strict policy you can also enforce integrity for user
>>> processes. You can also demonstrate role based access control.
>>>
>>> You can demonstrate how MCS can be useful to restrict processes access
>>> to objects.
>>>
>>> If you use MLS model you can demonstrate enforcement of confidentiality.
>>>
>>> I never actually connected to play machine but i gather it mapped the
>>> root Linux login to the user_u SELinux user.
>>>
>>
>> Sounds great, bu if root became user_u, any other user should be id=0 ?
>
> No, root linux login is id 0, and root is in the user_u SELinux user group.
>
> So in practice you will end up with a restricted root.
>
Thanks we both awake...9
Yes, I know, but how can I configure, say semanage or anything if user
id 0 (root) is restricted by SELinux ?
Should I make, say user "fujiwara" id 0 also?
I don't know two user can be id 0, though...
Or you mean temporarily set root user_u ?
That'll make sense.
>>
>>
>>> There are a lot of ways to demonstrate SELinux. You could restrict a
>>> simple hello world shell script and shows what happens if you extend the
>>> script to make it do something it is not intended to do.
>>>
>>> Same goes for webapplications. You could write a webapp and make it do
>>> something that SELinux policy does not allow it to do.
>>>
>>> Generally TE tries to prevent privilege escalation. It restricts processes.
>>>
>>
>> Yes, thanks, but I want to demonstrate how SELinux denies when web
>> application's vulnerability exists.
>> Say, it could not get root's priviladges.
>
> In that case find or engineer a web application vulnerability and
> demonstrate how SELinux is able to prevent privilege escalation.
>
OK, I think I can do that.
But apache has any vulnerability?
Oh, we should not talk this matter..
>>>> Thanks in advance.
>>>>
>>>
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>
>>
>>
>
>
>
--
http://intrajp.no-ip.com/ Home Page
More information about the selinux
mailing list