[ale] October meeting topic - SELinux

Michael B. Trausch mike at trausch.us
Tue Aug 24 13:49:58 EDT 2010


On Tue, 2010-08-24 at 11:14 -0400, Jim Kinney wrote:
> I have informed Aaron I will give a meeting in October on SELinux. I
> am tinkering with SEPostgres - yes, that's SELinux extensions for
> PostgreSQL! - and wanted a feel for interest, i.e. how far down the
> rabbit hole should I look at for the talk?
> 
> NOTE: My talks are notoriously long - I think the last one was 90
> minutes - and this one will likely be no different. 
> 
> I'm looking at an overview of SELinux and how to work with it, uses of
> the multi-level, multi-category security model (much more than the
> "strict" mode) and a practical example of a database using it natively
> (along with the process of patch -n- build, etc). 

I, for one, would be interested in anything that you can reasonably
cover in a 90 to 120 minute window, even if I have to read 120,000 words
of text afterwards to understand it all.  :-)

That said, here are a few things that I can think of that I would like
to know:

  * WRT implementing SELinux on an existing system, is there some method
    of determining what rules would be good to implement by scanning the
    system?
  * Is there a method of remote management of SELinux rules?
  * Can it do things like require that a cryptographic key is used to
    access a system over a username and password, particularly for
    privileged operations?
  * Along the same lines as the last question, how high-level can
    SELinux requirements get?
  * Is it worthwhile for use in a small network (< 5 servers)?
  * Is it useful inside of virtual machines (for example, are there
    SELinux "namespaces" that can be used inside of something like LXC
    so that all that has to happen for SELinux to work in the containers
    is to have the SELinux modules loaded on the host?
  * Assuming that the last question is answered in the affirmative,
    is it also possible to have SELinux used on the host to do something
    like say "VMs can do whatever, bound by their own SELinux policies,
    as long as they don't break out into the host system?"

I could probably ask 100 questions, but these are the biggest ones that
I can think of that I would like answers to (or pointers to answers to).

	--- Mike



More information about the Ale mailing list