2010/2/19 Dominick Grift <domg472@xxxxxxxxx>: > On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote: >> Hi, I 'm ready to start SELinux server in my office first time, and I >> want to persuade everyone how safe the SELinux server is. >> >> How can I demonstrate administrators and my boss the advantage of >> SELinux comparing other servers? >> >> SELinux play machine hit me but is too far or should I just >> demonstrate in a certain ocassion for certain purpose? > > It depends a bit on your distro and policy model. > > But generally you can demonstrate how TE enforces integrity for targeted > system daemons. > > If you use strict policy you can also enforce integrity for user > processes. You can also demonstrate role based access control. > > You can demonstrate how MCS can be useful to restrict processes access > to objects. > > If you use MLS model you can demonstrate enforcement of confidentiality. > > I never actually connected to play machine but i gather it mapped the > root Linux login to the user_u SELinux user. > Sounds great, bu if root became user_u, any other user should be id=0 ? > There are a lot of ways to demonstrate SELinux. You could restrict a > simple hello world shell script and shows what happens if you extend the > script to make it do something it is not intended to do. > > Same goes for webapplications. You could write a webapp and make it do > something that SELinux policy does not allow it to do. > > Generally TE tries to prevent privilege escalation. It restricts processes. > Yes, thanks, but I want to demonstrate how SELinux denies when web application's vulnerability exists. Say, it could not get root's priviladges. >> Thanks in advance. >> > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- http://intrajp.no-ip.com/ Home Page -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
