oiaohm wrote: > I know tripwire. Biggest flaw its not real time. fanotify will allow that to be changed at least part of the way for file-system operations. Second big problem with tripwire is false positives. > > SELinux guarding services you most of the time don't even notice. Since distributions who did the SELinux system did it right in the first place. Yes SELinux has 3 basic modes. Off, Limited protection ie protect only items like services and god darn paranoid. > > SELinux is also a product of the National Security Agency of the United States Government. They have a reason to lock down computers to prevent unauthorized use. Unfortunately, not every system administrator is willing or has the knowledge to properly configure it. That is why most folks don't like it. If you set it up properly, then you don't get 'surprises'. Sort of like setting up Windows Vista UAE on Full/High. Real pain. > God darm paranoid is what most people know and fear. Selinux has some reasonable front ends out there these days. No more annoying that putting up with zonealarm on windows. > And we should all be paranoid. Yes, they are really out to get you and your computer. They will then do bad things with it. > There is also smack if you don't particularly like Selinux both are peer reviewed. > > And that is only the half of it. > Martin I have never had a DBMS system I have not been able to make work with SELinux. Note SELinux programmers concidered everything. SELinux profile writers don't always. http://sourceforge.net/projects/segatex/ makes correcting policies quite simple. > SELinux, as originally developed, was not designed for this. However, you do have a valid complaint. RDBMS systems should be able to operate with SELinux running at full strength. That is why it is there. > http:~user/... I have done that stuff with selinux in place. Some distributions have it work from the start line. There is a learning mode you can setup for selinux these days for odd ball problems. > > SELinux should work with web servers in non-secure and secure modes. It should work with Tomcat publishing dynamic pages as well. > Its part having the right tools for the job Martin. > > MS released an so called anti-virus that used CRC32 checksums back in the WFW 3.11 time frame . Only one problem CRC32 checksums could be colided simply so it was rendered useless. > It was also a joke. You could fake the CRC32 of a file and keep on going. There was a contest to see who could infect the most files. Microsoft pulled it after this was demonstrated. Fortunately, not many folks relied on it either. However, and relating this to Wine. SELinux should not, if properly configured, affect any user-space application that is behaving. It is when we decide to do things like host DNS servers on it that problems should occur, and rightfully so. We should be able to use Web Browsers and other Internet facing applications. Oracle clients should be able to run on it, with minor configuration changes (SELinux does not normally allow high to high connections, but the world famous port for Oracle is in the high port range.) And the added security should not be a security blanket either. SELinux is just another level of host based security. If you are really paranoid, you can run a complete suite of applications. Anti-virus, anti-spy ware, and other programs as well as SELinux. Unfortunately, Wine does not run anti-virus programs very well, if at all. However, anti-spy ware programs should run on Wine. That is the start of the battle against the 'bad' guys who only want to steal the use of your system for their needs... BTW, Macs are also subject to this type of piracy as well. James McKenzie
