<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<!-- Template generated by Exclaimer Mail Disclaimers on 01:12:39 Tuesday, 31 January 2012 -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">P.8386aec5-ba10-4ed7-96ee-3957f444ce05 {
MARGIN: 0cm 0cm 0pt
}
LI.8386aec5-ba10-4ed7-96ee-3957f444ce05 {
MARGIN: 0cm 0cm 0pt
}
DIV.8386aec5-ba10-4ed7-96ee-3957f444ce05 {
MARGIN: 0cm 0cm 0pt
}
TABLE.8386aec5-ba10-4ed7-96ee-3957f444ce05Table {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</style>
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang="EN-US" link="blue" vlink="blue">
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"></p>
<div class="Section1">
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">SELinux on RHEL derived distros now has other tools to give you a clue about what is going wrong with things. In the early days I turned
it off completely because it really was not fun to figure out why it was having issues.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy">Also if you want to be an RHCE you’ll have to learn SELinux.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:
10.0pt;font-family:Arial;color:navy"><o:p> </o:p></span></font></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"></span></font></div>
</div>
</div>
<p></p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"> </p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"> </p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"></p>
<div class="Section1">
<div>
<div class="MsoNormal" align="center" style="text-align:center"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center" tabindex="-1">
</span></font></div>
<p class="MsoNormal"><b><font size="2" face="Tahoma"><span style="font-size:10.0pt;
font-family:Tahoma;font-weight:bold">From:</span></font></b><font size="2" face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma"> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b><span style="font-weight:bold">On Behalf Of </span></b>Jim Kinney<br>
<b><span style="font-weight:bold">Sent:</span></b> Tuesday, January 31, 2012 1:04 PM<br>
<b><span style="font-weight:bold">To:</span></b> Atlanta Linux Enthusiasts<br>
<b><span style="font-weight:bold">Subject:</span></b> Re: [ale] why I love windows</span></font><o:p></o:p></p>
</div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:
12.0pt"><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><o:p> </o:p></span></font></p>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:
12.0pt">On Tue, Jan 31, 2012 at 11:24 AM,
<a href="mailto:mike@trausch.us">mike@trausch.us</a> <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:
12.0pt"><br>
<br>
Ultimately, I would like a system that enables me to do certain things<br>
without having to elevate my own privileges. There is (to my knowledge)<br>
absolutely nothing to stop a program lurking in my userspace from<br>
starting up in the window system and watching for me to gain root access<br>
in a terminal window to do nasty things before I can stop it.<br>
<br>
But if I were allowed to “aptitude update && aptitude safe-upgrade” or<br>
“emerge --sync && emerge -DNua world” without invoking root privilege,<br>
by having helpers go and request that backends kick in and do their<br>
jobs, then I never have to run “sudo” or become root. I can just type<br>
the commands and if I have the permission to run them, the backend will<br>
start up for me; if I do not have the permission to run them, the<br>
backend will return a permission denied error. And all the while,<br>
nothing can lurk in my window system and try to take advantage of a root<br>
shell while it’s in a terminal window.<o:p></o:p></span></font></p>
<div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:
12.0pt"><br>
--- Mike<br clear="all">
<o:p></o:p></span></font></p>
</div>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:
12.0pt">I don't understand what the advantage is of totally blurring the line between user and admin is. You can right now set up your non-root account to do root-ish things
with no further work other than typing the command.<br>
<br>
The hard separation exists for a reason. It's better to learn the tool chains available before embarking on a new project to reinvent the wheel. SELinux and AppArmour are very similar in concept but different in operation and practice. As you use Debian derivatives,
learn AppArmour. If you use RedHat derivatives, learn SELinux.<br>
<br>
FYI: PolicyKit is a native part of RHEL. It's purpose is to handle the process that allows a user with proper privileges to do gui-fied root-ish things. It is tied in nicely with SELinux. My laptop runs in permissive mode. My servers run in targeted mode. That
means apache can read/write ONLY apache directories (i.e. have the type httpd_sys_content_t. I can as admin make any area of the filesystem have that type and apache will be able to use that space. If I want to, I can dig way deep and allow suexec_httpd to
use particular spaces only and not be able to write to /tmp or whatever. Targeted policy is pretty easy. MLS/MCS can be the total brain-bender :-) Picture the following:<br>
<br>
Each user has multiple level of security. Each level can "read down" and "write up" a security level. A process called "polyinstantiation" was created so that each user has multiple $HOME with different security levels. There is a /tmp for each level in use
AND it's tied to each user. So it's a private /tmp that kernel space understands as normal /tmp when a user app calls for an IO to /tmp. Each security level transition requires a login. The entire chain of logins is tracked back to the originating login. So
a user can't use a local exploit to become root and then do anything because the system knows the transition path.
<br>
<br>
Now add in MCS to further subdivide the system and processes into compartments that can each have multiple levels. So Fred works on two projects and at different levels on each. Each category can (and usually does) require a complete login process (not su)
so that polyinstantiation wakes up and does it's job at each category and level.<br>
<br>
Once you know how to read the audit logs, you can track a user through what is done. By tricks such as dual logs and append-only partitions, a cracker has nearly no chance to both "do bad things" AND cover the tracks.<br>
<br>
I'll start working on the SELinux roadshow and holler when it's ready.<o:p></o:p></span></font></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><br>
-- <br>
-- <br>
James P. Kinney III<br>
<br>
As long as the general population is passive, apathetic, diverted to consumerism or hatred of the vulnerable, then the powerful can do as they please, and those who survive will be left to contemplate the outcome.<br>
- <i><span style="font-style:italic">2011 Noam Chomsky<br>
<br>
<a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a></span></i><o:p></o:p></span></font></p>
</div>
<p></p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY: Arial; FONT-SIZE: 10pt" size="2"></font></font></font> </p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"> </p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY: Arial; FONT-SIZE: 10pt" size="2">Athena<font size="1">®</font>, Created for the Cause</font><font size="1">™
</font></font></font></p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"><font size="2" face="Arial">Making a Difference in the Fight Against Breast Cancer</font></p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"></span> </p>
<p class="8386aec5-ba10-4ed7-96ee-3957f444ce05"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt">---------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information
is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 9pt"><o:p></o:p></span></p>
<p> </p>
</body>
</html>