SEL takes a bit of getting your head round (well, I found it the hardest part of the Red Hat Engineer course I did).
The notes from Red Hat are very good and I include two links for those who wish top learn more. Regards, Phill. 1. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html 2. http://www.redhat.com/magazine/001nov04/features/selinux/ On 22 August 2013 13:30, Tony Arnold <tony.arn...@manchester.ac.uk> wrote: > On 22/08/13 13:06, pete smout wrote: > > On 22/08/13 12:33, Kris Douglas wrote: > >> On 22 August 2013 12:21, pete smout <psmo...@live.com> wrote: > >>> On 22/08/13 11:59, pete smout wrote: > >>>> On 22/08/13 11:41, Paul Sutton wrote: > >>>>> On 21/08/13 22:12, scoundrel50a wrote: > >>>>>> On 21/08/2013 17:07, Colin Law wrote: > >>>>>>> On 21 August 2013 16:57, Gareth France <gareth.fra...@gmail.com> > wrote: > >>>>>>>> On 21/08/13 10:13, scoundrel50a wrote: > >>>>>>>> > >>>>>>>> Hi, I really dont understand the attitude of attack when somebody > posts > >>>>>>>> something like this. Not everybody is competant in using Ubuntu, > and > >>>>>>>> not > >>>>>>>> everybody understands the risks involved especially considering > for > >>>>>>>> years > >>>>>>>> its been pushed as a safe OS. All i have done is post this to the > >>>>>>>> group, I > >>>>>>>> dont appreciate this attitude. It doesnt give Ubuntu a good light > when > >>>>>>>> people see this. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> On the whole I have stopped posting to this group since there are > a > >>>>>>>> number > >>>>>>>> of people who are obviously on pedestals above us lowly minions. > Not > >>>>>>>> so long > >>>>>>>> back after starting a thread I was shot down in an unforgivably > >>>>>>>> harsh manner > >>>>>>>> by people who made assumptions about me based on absolutely no > >>>>>>>> evidence and > >>>>>>>> proceeded to trample all over my opinion and my self esteem. > >>>>>>>> > >>>>>>>> I have said it before and I'll say it again, not everyone is an > >>>>>>>> expert, not > >>>>>>>> everyone understands things that are obvious to you. Be careful > how you > >>>>>>>> respond as we are supposed to be wanting to encourage mass > adoption > >>>>>>>> and as > >>>>>>>> many new users as possible. Insulting them, depressing them, > making > >>>>>>>> them > >>>>>>>> feel small, they will only leave. > >>>>>>> I don't think we know what it was that scoundrel50a was taking > >>>>>>> exception to as the post he complained about was not about > anything he > >>>>>>> said. Scoundrel50a can you clarify exactly what it was that > worried > >>>>>>> you? > >>>>>>> > >>>>>>> Colin > >>>>>>> > >>>>>> I'm sorry but if you think that Peter Maddison's reply to me was > >>>>>> acceptable then I dont see the point in saying anything, and you > shot > >>>>>> me down yourself. Which is why I answered the way I did. > >>>>>> > >>>>>> I dont see any posts on here that warn people that Linux isnt > >>>>>> completely safe and whenever its bought up, people are treated like > >>>>>> they are idiots and its always those people that are knowledgeable > >>>>>> about Linux.....the rest of us are treated like I have been now. > >>>>>> > >>>>>> An its not just this thread its thread after thread that people are > >>>>>> shouted down in, by the same people every time. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> If there is a threat out there, no matter small people should be a) > >>>>> aware of it, and b) advised on how to avoid problems, if everyone > does > >>>>> small things to protect their own systems, then surely the wider > >>>>> community benefits, > >>>>> > >>>>> Look at how many bot nets are out there, there seems to be several > >>>>> million compromised Windows computers out there all chugging away and > >>>>> awaiting some instruction to do something nasty, > >>>>> > >>>>> some of the suggestions offered are easy to implement others not so > >>>>> unless you understand what it is asking you to do > >>>>> > >>>>> # > >>>>> > >>>>> > >>>>> Do not install unsigned packages > >>>>> # Do not add unofficial repositories without investigating said > repository > >>>>> # Keep your system up to date at all times > >>>>> # Keep all browser plugins up to date > >>>>> # If your distribution has SELinux, use it > >>>>> # Do not let others install software on your machines > >>>>> # Use solid passwords > >>>>> # If asked to enter root user (or sudo) password, always know why > >>>>> > >>>>> Maybe what is needed here are links to sites that advise on all the > >>>>> above issues, the reference to SELinux could have a link to the > SELinux > >>>>> website and an explanation of what this is, why its important. useful > >>>>> and what I should use it, it says don't install things you don't > >>>>> understand, well you have asked me to install SELinux which i sort > of > >>>>> understand does this mean I should or should not install it, (look > at > >>>>> that from a complete new user viewpoint) > >>>>> > >>>>> > >>>>> > >>>>> Sometimes when advice sounds like the obvious to an expert it really > >>>>> does baffle the novice, lets take a step back and address each of > the > >>>>> above and perhaps help people (esp new users) to make their systems > more > >>>>> secure through education and advice. > >>>>> > >>>>> I am happy to host information on the dcglug website blog if people > can > >>>>> help me explain each of the above points please, this information > will > >>>>> then be in one place and can act to help others both expert and > novice > >>>>> help others. > >>>>> Hope this helps > >>>>> > >>>>> In fact such information could or would quite possibly be something > to > >>>>> include in the ubuntu-manual project and lubuntu documentation, > >>>>> > >>>>> Paul > >>>>> > >>>>> > >>>> Hi, > >>>> Although I have heard of SELinux I have never used it, I believe (not > >>>> certain) that it comes as default on modern *buntu systems?! > >>>> Does it need setting up, if so a link to a how to would be good! > >>>> What are the benefits if using / installing it over not having it? > >>>> What are the pitfalls of using it (for example I use the mozilla ppa > as > >>>> the firefox version in the Ubunutu repos is too out of date for > certain > >>>> webpages, let alone from a security point of view, will it allow me to > >>>> continue using it?) > >>>> > >>>> I think some more research on my part is needed as in my everyday > world > >>>> SEL means Shelf Edge Label so the name leads to confusion ;) > >>>> > >>>> Good Job I'm not working today and I have the time to research, if > >>>> anyone has some good links on the subject I (if not anyone else) would > >>>> be interested in seeing them, But google will provide the answers im > sure!! > >>>> > >>>> Thanks for giving me some more research.... I dont spend enough time > in > >>>> front of a screen (lol) > >>>> > >>>> Pete Smout > >>>> > >>>> > >>> Right a quick google of 'SELinux ubuntu 13.04' a link top of page to an > >>> Amazon page trying to sell me a Ubunutu DVD for £6.49 (even I am not > >>> that stupid) the SELinux wiki page is helpful if long-winded, and I > have > >>> found a folder /selinux which is completely empty on my system? does > >>> that mean it is there? > >>> Or is it there and never been configured for use? > >>> And on a single user system (as opposed to a server) do I need it at > all? > >>> > >>> I apologize in advance if I (1) should start a new thread (will happily > >>> do so), or (2) am asking stupid questions, but this thread has got me > >>> thinking...... > >>> > >>> Pete Smout > >> > >> Try searching for AppArmor, SEL is not used on Ubuntu. > >> > >> > >> > > Many thanks for the prompt replies, If it is not used what is the > > directory for? (/selinux is completely empty) > > A search in Synaptic for selinux shows that only libselinux1 and > > libsemanage1 are installed on my system, are these shared libraries with > > AppArmor or left over after upgrades (this system started out life as > > 10.04 LTS and has been through all upgrades 10.10, 11.04 etc). I am > > always nervous about removing lib files as the consequences may not be > > noticed for weeks if not months, and trying to remember everything to > > put them back is getting harder as I get older! > > > > As for AppArmor I have seen this mentioned when adding / removing > > packages & updates but never had cause to investigate it. It's > > reassuring to know that it sits there working behind the scenes to > > protect me and my data! > > > > I am reasonably confidant that all the PPA's in use on my system are > > harmless as I have pretty much only used ones from 'trustworthy' sources > > i.e. Mozilla and hopefully I am not stupid enough to just install things > > blindly with no research first, but as I am trying on an almost daily > > basis to convert those less fortunate than us to the way of free open > > source software & the delights of Ubuntu, the more info I am armed with > > the better. > > With great power comes great responsibility! > > > > The lesson here is look before you leap, only add things you can trust, > > and if you act as a tester for app devs then make sure you can trust > > them as there are pitfalls in the most random of places (I am sure 99.9% > > are ok but someone has to lose this particular lotto, hopefully not me) > > Have a look at the package 'policycoreutils' which provides tools for > managing SELinux. I don't think this is the same as apparmour. > > I could be wrong but I thought SELinux was all about implementing > non-discretionary access controls. User's access to objects such as > files etc is determined by who they are and what the object attributes. > The control is set by the system manager and usually cannot be overriden > by the user. > > Have a look at > http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria > for more details on this. > > Regards, > Tony. > > > > Thanks again > > > > Pete S > > > > > > > > > -- > Tony Arnold, Tel: +44 (0) 161 275 6093 > Head of IT Security, Fax: +44 (0) 705 344 3082 > University of Manchester, Mob: +44 (0) 773 330 0039 > Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk > > -- > ubuntu-uk@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk > https://wiki.ubuntu.com/UKTeam/ > > -- > https://wiki.ubuntu.com/phillw <https://wiki.ubuntu.com/UKTeam/> >
-- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
