PDA

View Full Version : SELinux



Jongi
15th July 2006, 01:41 PM
Is it worth it enabling it on a stand alone computer? Is it relatively simple to configure?

jtang613
15th July 2006, 02:30 PM
1) Yes
There is little disadvantage to enabling selinux, but there are many security advantages. If by standalone you mean 'not connected to the internet', then you can probably disable selinux.


2) Yes and No
There is the System-Config-Security tool and other selinux tools under the Gnome System -> Administation menu. However, writing custom policies by hand can be complex - as can simply understanding selinux in general. A good FAQ is:
http://fedora.redhat.com/docs/selinux-faq-fc5/
http://www.nsa.gov/selinux/info/faq.cfm

hth,
Jason

Jongi
15th July 2006, 02:40 PM
Yeah I started at the nsa site before posting here. I had a quick look at the pdf file they have on the site and it seemed to me that setting up my not be a simple matter.

Not as standalone as that. I connect to the net behind a router.

EDIT: The fedora faq should keep me busy.

jtang613
15th July 2006, 02:42 PM
If you have Fedora installed, then by default selinux is installed, and active. No further work is needed.

Jason

Jongi
15th July 2006, 02:55 PM
I actually had to disable it as it gave me a problem the first time I wanted to boot up after installing FC5. Obviously I suspect that if I were to set it up properly that issue might be resolved.

Been running FC5 for maybe 2 months now.

EDIT: The issue was related to my system being formatted with reiserfs.

LLS
15th July 2006, 03:37 PM
I have it enabled on both my fc5 workstation and webserver and think it is worth the effort to keep the systems working with it. Although I find it quit complex and not a small endever to learn at all. I have not found any easy beginning tutorals and get most answeres from various posts by other users fixing problems that are related to ones I might have. I would love to hear of any sites to help with beginning administration of SElinux as the official Redhat one is like trying to learn Apache at that giant official Apache site, which seem to be more usefull after one understands alittle bit about the subject.

RahulSundaram
16th July 2006, 10:44 AM
I have it enabled on both my fc5 workstation and webserver and think it is worth the effort to keep the systems working with it. Although I find it quit complex and not a small endever to learn at all. I have not found any easy beginning tutorals and get most answeres from various posts by other users fixing problems that are related to ones I might have. I would love to hear of any sites to help with beginning administration of SElinux as the official Redhat one is like trying to learn Apache at that giant official Apache site, which seem to be more usefull after one understands alittle bit about the subject.


There are quite a few references but these is a good place to start
http://fedoraproject.org/wiki/SELinux

jtang613
16th July 2006, 02:01 PM
EDIT: The issue was related to my system being formatted with reiserfs.
Good to see you found the problem. Yes, only ext3 and xfs filesystems currently support selinux extensions.