SELinux MLS
Douglas Brown
d46.brown at student.qut.edu.au
Thu Jul 4 05:47:47 UTC 2013
The only use case I can think of to justify the vast additional complexity of MLS is when you need to confine access to resources based on a very specific organisational information flow policy. The MLS policy isn't necessarily more 'secure' than MCS, it's just enforces a different information flow policy (domain separation rather than Bell-LaPadula).
If you'd like to harden the machine and restrict access to splunk resources, I would:
* Write policy for Splunk then remove all unconfined domains (see section in: http://danwalsh.livejournal.com/42394.html)
* Run splunk in its own category
* Change default user/login clearances as appropriate to restrict access to splunk
* Depending on whether or not your network is labelled or not you might consider using SECMARK or netlabel to restrict network access to splunk
Hypothetically, you could run multiple instances of splunk in different categories on the same machine for each index if required.
Cheers,
Doug
From: Robert Gabriel <ephemeric at gmail.com<mailto:ephemeric at gmail.com>>
Date: Thursday, 4 July 2013 2:42 AM
To: Doug Brown <d46.brown at student.qut.edu.au<mailto:d46.brown at student.qut.edu.au>>
Cc: "selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>" <selinux at lists.fedoraproject.org<mailto:selinux at lists.fedoraproject.org>>
Subject: Re: SELinux MLS
On 3 July 2013 13:32, Douglas Brown <d46.brown at student.qut.edu.au<mailto:d46.brown at student.qut.edu.au>> wrote:
Full splunk or just the universal forwarder? Interested to know how you go.
Full Splunk but it's going to take me forever.
Found this in the meantime:
http://riffraff169.wordpress.com/2011/11/22/splunk-and-selinux/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130704/9cbef80b/attachment.html>
More information about the selinux
mailing list