[KLUG Members] SELinux anyone?

[Adam Williams]

> Is anyone using, or experimenting with, SELinux?
> http://www.nsa.gov/selinux

Played with it a bit once.  The application level security is very
nice.  It is woven into IPC and everything.  But it can be a real
$(*&@($ to config since most apps don't expect anything like that to be
going on.

I thought SE was disbanded however?  The NSA had said "No!" to Open
Source.  Has this project resumed?

Also be aware that SE is a POC (proof-of-concept).  It is not meant to
be actually used in any production capacity.  At least that is what it
said back when I had enough spare time to look at it.  The code is real
spagetti.

> As I understand it, it's a modification to an existing Linux system (their 
> site says it works with Red Hat). It Mandatory Access Control and other things 
> to make a system less vulnerable.

Some MAC exists already in late 2.4, it is just poorly documented.  More
exists (will exist?) in 2.6.x.

> This hearkens back to some content from the excellent presentation by Matthew 
> Benjamin from The Linux Box back in January. 

Matt talked about LIDS,  which is a patch set meant to be used on real
systems.  I've been meaning to put that (or something like it) on my
KDC/PDC but I'm waiting till 2.6.x so I don't have to do it twice.