On Sat, 2005-06-25 at 01:08 -0700, Joseph Sinclair wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > SELinux is a modified kernel (and some other parts of the GNU/Linux system) to support better security, including native ACL-like support, mandatory access control (no root user!), and policy-based security enforcement. > ACL's (short for Access Control List) are a mechanism whereby multilayered access controls are applied to operating system objects, SELinux actually uses policies, but it works the same, for the most part. > In Linux (as with all Unix-like systems) everything is a file, so ACL's are mostly applied to files. > > Technically, SELinux adds role-based security with mandatory access controls to a Linux system, not ACL's. It's a fine point, but it explains why setting up security is easy in Windows, and a serious PITN on SELinux. > > SELinux is the "standard" distribution that supports using enhanced security in a GNU/Linux environment, without it, you won't, usually, have anything like ACL's to work with. > If you can get ACL's without SELinux, DO SO, SELinux is serious extra work if all you need is multilayered access control. > I did a bit more research on this, and there is ACL support available for most Linux filesystems, but the support within the filesystem tools may be lacking, and if the ACL support > isn't compiled into the kernel (many distros don't include it), then it's just not available, whether the FS supports it or not. > > For ACL resources: > There's an outdated article on this at (http://www.suse.de/~agruen/acl/linux-acls/online/) > Here's the about.com entry for ACL (http://linux.about.com/library/cmd/blcmdl5_acl.htm) > Here's an ACL management tool that might help (http://www.ameba6.com/guiaclmanager/) > Fedora Core 4 should have ACL's compiled in the kernel and most filesystems. Check if getfacl is present on your system, I don't have a FC4 system to try this on. > > More on SELinux at (http://www.nsa.gov/selinux/) (Note, this is the US National Security Agency, standard caveats apply). > SELinux is generally incorporated into the 2.6 kernels and just not enabled by default. > Fedora Core incorporates an SELinux mode, the FAQ for FC3 is at (http://fedora.redhat.com/docs/selinux-faq-fc3/index.html), they haven't put up the FAQ for FC4 yet, but SELinux is definitely there, and considerably improved. > > SELinux installs tend to take quite a bit of time to get right, so I would plan on a few weeks, at least, to get it all set up before exposing users to it, since any problems with the security policy can completely alienate the user base in negative time. > > ==Joseph++ ---- once again, you have written the mini-book answer to a general question and I feel so much more knowledgeable having read the above. Even though I think I knew all that, I doubt that I would have been anywhere within hand grenade range of this description. Heck, I even feel guilty nit- picking it. You stated 'setting up security in Windows is easier' and that is not entirely true. NTFS has ACL support, VFAT does not. Very few people have a clue how to access it. Only WinXP SP2 has a built-in firewall which most people will have to be told when and how to add exceptions for a specific program. Win2K and WinNT only have packet filtering in a hidden area of the network interface configuration and the interface to it might be one of the worlds worst. All of the 3rd party firewall implementations are too tedious for knowledgeable users and thoroughly confusing for less than knowledgeable users. Local security policy implementation? Not too difficult but I probably don't know a soul personally that has done it other than me. Considering that most Windows users run as super user and idiotic things like Quickbooks will not work unless you at least have local 'Power User' privileges, security and Windows are not always intersecting areas. Craig --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss