Re: How can I start SELinux play machine ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/19/2010 01:29 PM, Shintaro Fujiwara wrote:
> 2010/2/19 Dominick Grift <domg472@xxxxxxxxx>:
>> On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:
>>> Hi, I 'm ready to start SELinux server in my office first time, and I
>>> want to persuade everyone how safe the SELinux server is.
>>>
>>> How can I demonstrate administrators and my boss the advantage of
>>> SELinux comparing other servers?
>>>
>>> SELinux play machine hit me but is too far or should I just
>>> demonstrate in a certain ocassion for certain purpose?
>>
>> It depends a bit on your distro and policy model.
>>
>> But generally you can demonstrate how TE enforces integrity for targeted
>> system daemons.
>>
>> If you use strict policy you can also enforce integrity for user
>> processes. You can also demonstrate role based access control.
>>
>> You can demonstrate how MCS can be useful to restrict processes access
>> to objects.
>>
>> If you use MLS model you can demonstrate enforcement of confidentiality.
>>
>> I never actually connected to play machine but i gather it mapped the
>> root Linux login to the user_u SELinux user.
>>
> 
> Sounds great, bu if root became user_u, any other user should be id=0 ?

No, root linux login is id 0, and root is in the user_u SELinux user group.

So in practice you will end up with a restricted root.

> 
> 
>> There are a lot of ways to demonstrate SELinux. You could restrict a
>> simple hello world shell script and shows what happens if you extend the
>> script to make it do something it is not intended to do.
>>
>> Same goes for webapplications. You could write a webapp and make it do
>> something that SELinux policy does not allow it to do.
>>
>> Generally TE tries to prevent privilege escalation. It restricts processes.
>>
> 
> Yes, thanks, but I want to demonstrate how SELinux denies when web
> application's vulnerability exists.
> Say, it could not get root's priviladges.

In that case find or engineer a web application vulnerability and
demonstrate how SELinux is able to prevent privilege escalation.

>>> Thanks in advance.
>>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> 
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux