On Monday, 09/23/2013 at 10:38 EDT, Rick Troth <[email protected]> wrote: > Knowing that you (Alan) are a fan of MAC and that you believe SELinux > provides it, maybe you wanted to start a longer thread about that in > particular. Russ also chimed in as if to hit "+1" or "like". The > discussion warrants forking (clearly!) so I did. In the other thread, I > was just trying to help John get past his vsFTPD pain. To that end, I'd > even suggest not running FTP, if it would help. (Maybe it will!)
To qualify that, I am a fan of MAC (mandatory access control) when its use is warranted by the requirements of the established security policy. It is a means to an end, not an end in itself. It takes a higher level of effort to manage a MAC-enabled environment where every execution context (user/client) and resource (file, network, service) has an assigned role. It means that deploying new services is a result of consideration and thought, not impulse. Of course, you have to understand the role relationships and the MAC "algebra" underlying SELinux, so you are correct when you said I was hinting that SELinux is worthy of study. z/VM with RACF has a similar capability. Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
