[Wolves] Nsa using linux

Shane M. Coughlan shane at shaneland.co.uk
Fri Aug 25 12:32:52 BST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David Goodwin wrote:
> I don't know much  about the technical bits of SELinux, but can it be
> used in a similar manner to Novell's AppArmour where it has a
> 'training' mode (i.e. run application under 'normal' circumstances,
> record what it does, and then don't let it do anything else in the
> future)?

SELinux does not have a training mode.  You define your policies before
you go live.

Some aspects of AppArmor are inherently bad for security.  For example,
if you train the system without fulling securing it, then it can be
compromised at that juncture.  There is also the issue of what you do
when activity outside of your training area occurs and does not fit into
the filter policy that AppArmor applies.

That being said, generally AppArmor is just fine for what most people
want to do.

> Does anyone use SELinux, aside from a few niche areas? So far, every
> time I've seen people try and use SELinux (under RedHat) it causes
> $problems, which lead to it being totally disabled - clearly this
> isn't an ideal situation, but there seems to be a total lack of
> understanding of how to edit/modify/manage it.

SELinux is quite widely deployed.  It's part of the security system
deployed by large enterprises who need to control what happens across
large networks.  It's also popular in government work.

Originally when Red Hat launched a Fedora with SELinux they have it
running in strict mode (which only allows explicitly permitted actions
to happen).  Most people found their systems were not allowing them to
do things.

Red Hat now deploy SELinux at a lower security level, thus allow people
to actually run applications that don't have explicit permissions
(SELinux is idling in the background waiting for new users to apply
policies).

> Could you do a talk on SELinux and policies some time in the future?

Yes, of course.

However, my schedule is a little mad for a few months.  I'm moving to
Zürich.  It might be a while before I could do a talk.

Shane

- --
Shane Martin Coughlan
e: shane at opendawn.com
m: +447773180107 (UK) +353862262570 (Ire)
w: www.opendawn.com
- ---
OpenPGP: http://www.opendawn.com/shane/publickey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQCVAwUBRO7f2twG3M95JPpzAQjynQP/ej/QhnawtjuTxdg2ztkiWvJVX/al84x8
XcGiW8e2mAGY7ZkIHj3vqmtRGFqBgom1d5QXCxS25KopItqg+imYvxTahZ+Eeymp
421BUt2j3NHsCbD+oEEo2J/LutfdniXSA4oFk/3EEefzU+EQQ1PKyb56dbvbZ58J
FOmbfY+MGog=
=EirA
-----END PGP SIGNATURE-----



More information about the Wolves mailing list