Re: How can I start SELinux play machine ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2010/2/19 Dominick Grift <domg472@xxxxxxxxx>:
> On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:
>> Hi, I 'm ready to start SELinux server in my office first time, and I
>> want to persuade everyone how safe the SELinux server is.
>>
>> How can I demonstrate administrators and my boss the advantage of
>> SELinux comparing other servers?
>>
>> SELinux play machine hit me but is too far or should I just
>> demonstrate in a certain ocassion for certain purpose?
>
> It depends a bit on your distro and policy model.
>
> But generally you can demonstrate how TE enforces integrity for targeted
> system daemons.
>
> If you use strict policy you can also enforce integrity for user
> processes. You can also demonstrate role based access control.
>
> You can demonstrate how MCS can be useful to restrict processes access
> to objects.
>
> If you use MLS model you can demonstrate enforcement of confidentiality.
>
> I never actually connected to play machine but i gather it mapped the
> root Linux login to the user_u SELinux user.
>

Sounds great, bu if root became user_u, any other user should be id=0 ?


> There are a lot of ways to demonstrate SELinux. You could restrict a
> simple hello world shell script and shows what happens if you extend the
> script to make it do something it is not intended to do.
>
> Same goes for webapplications. You could write a webapp and make it do
> something that SELinux policy does not allow it to do.
>
> Generally TE tries to prevent privilege escalation. It restricts processes.
>

Yes, thanks, but I want to demonstrate how SELinux denies when web
application's vulnerability exists.
Say, it could not get root's priviladges.

>> Thanks in advance.
>>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>



-- 
http://intrajp.no-ip.com/ Home Page
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux