[Cialug] Fedora Core 3 SELinux

Chris Hilton cialug@cialug.org
Wed, 23 Mar 2005 00:28:12 -0600 

Good to hear.

My understanding, and I believe I read this in RH magazine, is that the 
FC3 policy set is pretty pathetic (they mentioned it having like 5,000 
rules).  My experience has been bad with it.  Upon doing an upgrade from 
FC2 it worked fine, with SELinux disabled.  Then I enabled it, and found 
my system unbootable.  It worked after a full reinstall though; gotta 
love mass RPM upgrades!
To give a perspective on the 5,000 number, RHEL4 WS I think they said 
has 290,000 rules.  I've not really played with it much; but in all 
cases I've heard this repeatedly:
It does you little good unless you add some rules yourself and make the 
sandbox smaller and smaller. 

If I understand it right.  It adds application level permissions to 
files.  So you can say /etc/shadow is only accessible by applications x, 
y, and z; and then determine the permissions for those applications 
(rwx).  So if someone manages to root you, they can't `vim /etc/shadow`; 
they have to be more creative!

Tom Pohl wrote:

> Now now, I haven't ditched anything, I'm just adding and expanding :)
>
> -Tom
>
> On Mar 15, 2005, at 9:19 AM, Dave Weis wrote:
>
>>
>> On Tue, 15 Mar 2005, Tom Pohl wrote:
>>
>>> I'm installing my first FC3 box (*gasp*).  Are there any Security 
>>> Enhanced Linux (SELinux) experts out there?
>>>
>>> I'm trying to figure out how many gotcha's I would run into by it 
>>> on.  Is it really a good thing?
>>
>>
>> The default policy doesn't block anything, it just warns you when it 
>> would have. I only have one FC3 machine that I installed from scratch 
>> and had selinux functional. It didn't cause any problems with anything.
>>
>> Glad you are stepping out of the 80's and ditching slackware :-)
>>
>> -- 
>> Dave Weis             "I believe there are more instances of the 
>> abridgment
>> djweis@sjdjweis.com   of the freedom of the people by gradual and silent
>>                       encroachments of those in power than by violent
>>                       and sudden usurpations."- James Madison
>> _______________________________________________
>> Cialug mailing list
>> Cialug@cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
>