On Sat, 2006-08-05 at 15:43 -0400, Chad Martin wrote:
> Once again, I'm slow on replying to things...
> for those who want just a quick synopsis of why Linux is more secure,
> here's how I see it:
>
> 1) In-kernel firewall.
> 2) Non-administrative users.
> 3) Open source.
> 4) Software updates.
> This is just the tip of the iceberg. I hope you feel more at ease
> about
> the security in Linux.
(I have another question (surprised?) and since it is security-related,
I might just append it to this post.)
You know, I really do. :) Thanks, Chad. The interesting thing is that
now that I've read all that, I think I sort of knew it already, in a
vague sort of way. I just had never put all those ingredients together
to see what I ended up with, I guess.
Anyway, to veer back towards the original topic a bit, I've learned more
about SEL and I realize I was quite wrong about what it actually does
and why it broke my system. I was imagining it to be just an internet
security thing (where it wouldn't allow traffic to/from servers or url's
or whatever) but apparently, it's job is to limit the amount of
access/control given to applications/processes, to the rest of the
system. Not sure if I said that right. The NSA says; "The
Security-enhanced Linux kernel enforces mandatory access control
policies that confine user programs and system servers to the minimum
amount of privilege they require to do their jobs."
Apparently, it does this a little too well for kernel 2.6.17, or
something was fundamentally wrong in the policy that I have installed.
I'm *guessing* now that whatever was actually broken (X11 and probably a
whole host of other things) just wasn't allowed to start properly
because it was trying to do things that it wasn't permitted to do.
Because it appears that the settings were different (or needed to be
changed) between the two kernels, I figured the only way I could
possibly work it would be to start in console mode and configure the
policy entirely through the command line, to allow system-wide access
for processes like 'audit', which I believe is what was causing most of
my problems. (feel free to correct me on all this btw, if you think I'm
way off track) I'm pretty certain that that would take me whole day of
wandering around the cmd line (not a nice prospect for me), so I decided
I would just leave it for now.
Is there another way? I've noticed over the past few days that
recompiling kernels appears to be a tried and tested way of making
things work/install that don't usually work/install. So, I'm wondering,
if I were to recompile my kernel (which I've been told to do for several
reasons now, including so that I can install Duzuko, to enable on-access
scanning with KlamAV), is it possible that this would help with the SEL
thing somehow? I was just thinking, maybe rather than trying to
reconfigure SEL, there might some other way around it by
uninstalling/reinstalling SEL, and/or recompiling the kernel or
something. I know that's a pretty vague question (not even a question,
really) but I'm just looking for options.
~~~~~
Now for my next proper question, which occurred to me while I was
reading about SEL.
We all know we shouldn't run our system as 'root'. If I 'su' to do
something (i.e. run yum update/install), is that access restricted to
the application I'm running, or is it a system-wide thing? I guess I'm
wondering, if I'm logged in as root in a shell, will other things (bad
things) be able to run themselves as root? (I use yum as the example
because it needs an active internet connection, which means I'm
accessing the net as root, which seems kinda risky by nature)
Cheers for putting up with me btw. I know I've been spamming all your
inboxes quite a bit of late. I just have a lot of questions and there's
no denying that it's often easier to just ask (and to voice vague
home-grown theories), than to sift through countless web pages looking
for answers that may or may not be there.
arsenic.
[Non-text portions of this message have been removed]
To unsubscribe from this list, please email [EMAIL PROTECTED] & you will be
removed.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/LINUX_Newbies/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
