SElinux

[AragonX]

<quote who="Mike McCarty">
>> I disagree. Things like SELinux/RSBAC/grsecurity+PaX can add a further
>> defense layer in system hardening.
>
> If someone gets through, then you are compromised. SELinux might
> (repeat, might) somewhat reduce the damage. But if you get rooted,
> then the infiltrator can change the policy just like you can.
> Every additional piece of software which is on your machine is
> another potential hole in your security, especially one which
> runs at kernel level. And just plain defects which can corrupt
> your system entirely is another issue.

Well, I'm going to jump right into the middle of this conversation and
give my $.001 worth of rant.

IMHO, SELinux is fairly difficult to manage.  I love the idea of ACLs but
just don't like SELinux's approach.  I went with LIDS and RSBAC a while
back.  I think for ACLs to work, they have to be easily manageable.  LIDS
was the easiest for me.  Very simple and straight forward (once you got
the darn thing to work).

As to getting rooted, I believe both LIDS and RSBAC can be configured to
only allow modification from special terminals (i.e. local terminal only
etc).  They are also kernel modules so they can not be easily bypassed. 
Finally, they usually have a separate password required to invoke the
modification terminal.  All very nice features.

Try giving other ACL implementations a try.  You may find them much more
enjoyable.  Be warned though, they are all difficult to install but once
you are past that...



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.