I've been using SELinux for some time now on Fedora. SELinux has been included in Fedora since Fedora 2, and has been turned on by default since around Fedora 10. I'm currently running Fedora 13.
Fedora has a SELinux Administration GUI that allow me to set default policies for things like the Apache Web Server, PostgreSQL Database Server, MySQL, etc. simply by clicking on checkboxes within the GUI. SELinux can cause problems in running some programs. For example, SELinux would block my media server. (eg Twonkymedia), from writing to memory, and would issue alerts regarding unauthorized use of memory by twonkymedia.sh. Such alerts could run into the thousands over a couple of days. The alerts included recommended command line syntax that could be used in a terminal window to create the policy Twonkymedia needed to use memory, if I chose to allow it. Also, the alerts would recommend that the author of the software be contact to let them know about the problem. http://en.wikipedia.org/wiki/Security-Enhanced_Linux Regards, LelandJ On 08/10/2010 03:52 PM, Bill Arnold wrote: >> Would you believe in 20 years of computing, this is the first >> time I've ever had a virus? > You didn't get a virus, you were attacked by an organized criminal > enterprise! This isn't mere semantics, it goes to the core of how we > perceive what's going on. The word "virus" implies they occur in nature, > which masks the truth and keeps people from getting as riled as they should > be. > > But I'm not writing just to repeat this observation, but to mention: > > First, the need for a disaster recovery plan to insure the needed materials > for complete machine rebuilds are available and timely, something which we > and our customers should be well versed in and regularly maintain. I've > written an app for this purpose. > > Second is awareness of a highly insidious act by these criminals: they can - > and I've seen it - change source code, such as HTML files on our machines, > which we might then install on a server without realizing what's happened. > For this problem, even completely rebuilding a machine and restoring backups > isn't a complete solution. > > What to do? Some thoughts: > > 1. A VM that doesn't require a host and can't be cracked should become > standard fare. This way, if a virtual copy of Win/xx is hacked, rebooting > Win/xx starts with a completely fresh copy and no traces of the hack. > Concurrently, something (see #2) is protecting our files from unauthorized > access and change. > > 2. A resource control system such as IBM's RACF. It's simple in concept: > everything is protected by default, and then any number of user groups can > be defined, each with very specific access rights that go right down to the > file name level. For example, your ID can be in a group that can only read > file 'abc' and during the daytime only. > > 3. Until 1 and 2 are readily available, isolate development machines (due to > the source code exposure) from the Internet altogether, and use a spare > (unimportant) machine to access the net. > > 4. For now, I've settled on MS Security Essentials because protecting > Windows from hacks is MS's job, plain and simple. It's their source code, > therefore their responsibility. To give credit were it's due, it does seems > to be working okay, but then I've become extremely careful with Internet > access from this machine, using a limited account on a spare machine for > googling (even simple, innocuous Google searches can bring up lists with > bugged websites, which I've seen happen). > > 5. International law should be tracking down these gangs and putting them in > jail. I've not heard of even a single such case, yet they keep getting more > sophisticated by the day. The cynic would think that those in power actually > want the Internet to become uninhabitable. That can't be the case, right? > > > > Bill > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
