SE Linux

Tracy R Reed treed at ultraviolet.org
Sat Jul 19 19:18:51 PDT 2003


telnet ultraviolet.org
user root
pass root

I have had my SE Linux demo box up and running for weeks but never really
publicized it before except to a couple people on the IRC channel. SE
Linux is a patch to the Linux kernel (not a distribution itself) which
implements a system of Mandatory Access Controls (MAC) which can be used
to restrict every process and user to least priviledge. It takes the bite
out of buffer overflows. I am yet to find a Linux security exploit which
would not be stopped by SE Linux. 

When you telnet into my box you will be root with uid=0 etc. But your
security context will be the default user context which means you will not
be able to undermine the system.  To actually administer the system you
have to log in as root on the local console or over the network as a
trusted user which the security policy has been configured to allow to
change his security context to that of the system administrator. So it
still relies on password security to secure the machine but that is a lot
easier to control than new exploits.

I invite you all to try to undermine the system and otherwise explore.
When I get SE Linux working properly inside User Mode Linux I will be able
to give you all real administrator access so you can safely play with
configuring the rules etc. inside your own UML sandbox. Note that you are
not actually on the ultraviolet.org system which I use for my website and
email etc. This is just a port forward to another dedicated SE Linux box.

Some url's:

http://www.nsa.gov/selinux
 
Want your own SE Linux box to play with?
http://sourceforge.net/docman/display_doc.php?docid=15285&group_id=21266#gs1Intro
 
Got questions about SE Linux in general? Check out the FAQ:
http://www.crypt.gen.nz/selinux/faq.html


-- 
Tracy Reed      
http://ultraviolet.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-security/attachments/20030719/d7828220/attachment.pgp


More information about the KPLUG-Security mailing list