Archive | April 18, 2008

MerriLUG Notes, 17-April-2008: Dan Walsh & SELinux

Eleven people attended the April meeting of MerriLUG, the Merrimack Valley chapter of the Greater New Hampshire Linux User Group. Heather called the meeting to order at 7:30 PM, noted the that attendees were pretty much The Usual Suspects, and dispensed with the long-winded announcements for new members. http://www.gnhlug.org will tell you all you want to know.

Dan Walsh was the main presenter tonight. Dan had a very special visit from the Demo Gods, just before he was to start. His hard drive decided that his boot partition wasn’t. Never heard of ext3. Ouch. Ever the good showman, he borrowed my laptop, downloaded his presentations from the web, and put on a great show.

Dan mentioned that he’d lost his previous laptop during his recent tour in Europe when it was stolen and that maintaining your home directory encrypted was a Good Idea.

Dan reviewed the history of SELinux and the iterations we saw in Fedora 3 though 8 and RHEL 3 through 5 and what to expect in 9. He talked about the evolution of the policies, the different feature sets available, how the SELinux architecture can meet the stringent requirements of DoD level organizations (with bullet points like: “RHEL5: MSP Policy: EAL4+, LSPP, RBAC” – who wouldn’t be impressed?) to the Significant Others at home who really just want a machine to use the browser on.

Dan showed off the new kiosk policy, xguest, which was essentially a minimal-permissions user (no setuid, no executables in the home directory, no installation abilities, etc.) extended to run FireFox. Perfect when someone wants to borrow your machine for a second! In the default settings (installable in F8 or 9 with sudo yum install xguest), it creates a fairly ‘safe’ user that can’t do a lot of harm and whose directories are temporary RAM-based and vanish when the user logs out. (You can modify it to keep a persistent home to store cookies and bookmarks.) Ideal for a library or public kiosk situations. Yes, the evil minded boys in the room could come up with some work-around exploits, but this is a promising start!

Thanks to Dan for a great presentation under trying circumstances, to Heather and Jim for managing and promoting the meetings, to Martha’s Exchange for providing the facilities, and to all who attended and participated.

UPDATE: Dan’s posted an article to Red Hat Magazine, “Confining the user with SELinux” that covers a lot of material in the presentation, with more detail than my notes and links for further study.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.