<div dir="ltr">SEL takes a bit of getting your head round (well, I found it the hardest part of the Red Hat Engineer course I did). <div> </div><div>The notes from Red Hat are very good and I include two links for those who wish top learn more.</div> <div> </div><div>Regards,</div><div> </div><div>Phill.</div><div>1. <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html</a></div> <div>2. <a href="http://www.redhat.com/magazine/001nov04/features/selinux/">http://www.redhat.com/magazine/001nov04/features/selinux/</a></div></div><div class="gmail_extra"> <div class="gmail_quote">On 22 August 2013 13:30, Tony Arnold <<a href="mailto:tony.arnold@manchester.ac.uk" target="_blank">tony.arnold@manchester.ac.uk</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 22/08/13 13:06, pete smout wrote: > On 22/08/13 12:33, Kris Douglas wrote: >> On 22 August 2013 12:21, pete smout <<a href="mailto:psmouty@live.com">psmouty@live.com</a>> wrote: >>> On 22/08/13 11:59, pete smout wrote: >>>> On 22/08/13 11:41, Paul Sutton wrote: >>>>> On 21/08/13 22:12, scoundrel50a wrote: >>>>>> On 21/08/2013 17:07, Colin Law wrote: >>>>>>> On 21 August 2013 16:57, Gareth France <<a href="mailto:gareth.france@gmail.com">gareth.france@gmail.com</a>> wrote: >>>>>>>> On 21/08/13 10:13, scoundrel50a wrote: >>>>>>>> >>>>>>>> Hi, I really dont understand the attitude of attack when somebody posts >>>>>>>> something like this. Not everybody is competant in using Ubuntu, and >>>>>>>> not >>>>>>>> everybody understands the risks involved especially considering for >>>>>>>> years >>>>>>>> its been pushed as a safe OS. All i have done is post this to the >>>>>>>> group, I >>>>>>>> dont appreciate this attitude. It doesnt give Ubuntu a good light when >>>>>>>> people see this. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On the whole I have stopped posting to this group since there are a >>>>>>>> number >>>>>>>> of people who are obviously on pedestals above us lowly minions. Not >>>>>>>> so long >>>>>>>> back after starting a thread I was shot down in an unforgivably >>>>>>>> harsh manner >>>>>>>> by people who made assumptions about me based on absolutely no >>>>>>>> evidence and >>>>>>>> proceeded to trample all over my opinion and my self esteem. >>>>>>>> >>>>>>>> I have said it before and I'll say it again, not everyone is an >>>>>>>> expert, not >>>>>>>> everyone understands things that are obvious to you. Be careful how you >>>>>>>> respond as we are supposed to be wanting to encourage mass adoption >>>>>>>> and as >>>>>>>> many new users as possible. Insulting them, depressing them, making >>>>>>>> them >>>>>>>> feel small, they will only leave. >>>>>>> I don't think we know what it was that scoundrel50a was taking >>>>>>> exception to as the post he complained about was not about anything he >>>>>>> said. Scoundrel50a can you clarify exactly what it was that worried >>>>>>> you? >>>>>>> >>>>>>> Colin >>>>>>> >>>>>> I'm sorry but if you think that Peter Maddison's reply to me was >>>>>> acceptable then I dont see the point in saying anything, and you shot >>>>>> me down yourself. Which is why I answered the way I did. >>>>>> >>>>>> I dont see any posts on here that warn people that Linux isnt >>>>>> completely safe and whenever its bought up, people are treated like >>>>>> they are idiots and its always those people that are knowledgeable >>>>>> about Linux.....the rest of us are treated like I have been now. >>>>>> >>>>>> An its not just this thread its thread after thread that people are >>>>>> shouted down in, by the same people every time. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> If there is a threat out there, no matter small people should be a) >>>>> aware of it, and b) advised on how to avoid problems, if everyone does >>>>> small things to protect their own systems, then surely the wider >>>>> community benefits, >>>>> >>>>> Look at how many bot nets are out there, there seems to be several >>>>> million compromised Windows computers out there all chugging away and >>>>> awaiting some instruction to do something nasty, >>>>> >>>>> some of the suggestions offered are easy to implement others not so >>>>> unless you understand what it is asking you to do >>>>> >>>>> # >>>>> >>>>> >>>>> Do not install unsigned packages >>>>> # Do not add unofficial repositories without investigating said repository >>>>> # Keep your system up to date at all times >>>>> # Keep all browser plugins up to date >>>>> # If your distribution has SELinux, use it >>>>> # Do not let others install software on your machines >>>>> # Use solid passwords >>>>> # If asked to enter root user (or sudo) password, always know why >>>>> >>>>> Maybe what is needed here are links to sites that advise on all the >>>>> above issues, the reference to SELinux could have a link to the SELinux >>>>> website and an explanation of what this is, why its important. useful >>>>> and what I should use it, it says don't install things you don't >>>>> understand, well you have asked me to install SELinux which i sort of >>>>> understand does this mean I should or should not install it, (look at >>>>> that from a complete new user viewpoint) >>>>> >>>>> >>>>> >>>>> Sometimes when advice sounds like the obvious to an expert it really >>>>> does baffle the novice, lets take a step back and address each of the >>>>> above and perhaps help people (esp new users) to make their systems more >>>>> secure through education and advice. >>>>> >>>>> I am happy to host information on the dcglug website blog if people can >>>>> help me explain each of the above points please, this information will >>>>> then be in one place and can act to help others both expert and novice >>>>> help others. >>>>> Hope this helps >>>>> >>>>> In fact such information could or would quite possibly be something to >>>>> include in the ubuntu-manual project and lubuntu documentation, >>>>> >>>>> Paul >>>>> >>>>> >>>> Hi, >>>> Although I have heard of SELinux I have never used it, I believe (not >>>> certain) that it comes as default on modern *buntu systems?! >>>> Does it need setting up, if so a link to a how to would be good! >>>> What are the benefits if using / installing it over not having it? >>>> What are the pitfalls of using it (for example I use the mozilla ppa as >>>> the firefox version in the Ubunutu repos is too out of date for certain >>>> webpages, let alone from a security point of view, will it allow me to >>>> continue using it?) >>>> >>>> I think some more research on my part is needed as in my everyday world >>>> SEL means Shelf Edge Label so the name leads to confusion ;) >>>> >>>> Good Job I'm not working today and I have the time to research, if >>>> anyone has some good links on the subject I (if not anyone else) would >>>> be interested in seeing them, But google will provide the answers im sure!! >>>> >>>> Thanks for giving me some more research.... I dont spend enough time in >>>> front of a screen (lol) >>>> >>>> Pete Smout >>>> >>>> >>> Right a quick google of 'SELinux ubuntu 13.04' a link top of page to an >>> Amazon page trying to sell me a Ubunutu DVD for £6.49 (even I am not >>> that stupid) the SELinux wiki page is helpful if long-winded, and I have >>> found a folder /selinux which is completely empty on my system? does >>> that mean it is there? >>> Or is it there and never been configured for use? >>> And on a single user system (as opposed to a server) do I need it at all? >>> >>> I apologize in advance if I (1) should start a new thread (will happily >>> do so), or (2) am asking stupid questions, but this thread has got me >>> thinking...... >>> >>> Pete Smout >> >> Try searching for AppArmor, SEL is not used on Ubuntu. >> >> >> > Many thanks for the prompt replies, If it is not used what is the > directory for? (/selinux is completely empty) > A search in Synaptic for selinux shows that only libselinux1 and > libsemanage1 are installed on my system, are these shared libraries with > AppArmor or left over after upgrades (this system started out life as > 10.04 LTS and has been through all upgrades 10.10, 11.04 etc). I am > always nervous about removing lib files as the consequences may not be > noticed for weeks if not months, and trying to remember everything to > put them back is getting harder as I get older! > > As for AppArmor I have seen this mentioned when adding / removing > packages & updates but never had cause to investigate it. It's > reassuring to know that it sits there working behind the scenes to > protect me and my data! > > I am reasonably confidant that all the PPA's in use on my system are > harmless as I have pretty much only used ones from 'trustworthy' sources > i.e. Mozilla and hopefully I am not stupid enough to just install things > blindly with no research first, but as I am trying on an almost daily > basis to convert those less fortunate than us to the way of free open > source software & the delights of Ubuntu, the more info I am armed with > the better. > With great power comes great responsibility! > > The lesson here is look before you leap, only add things you can trust, > and if you act as a tester for app devs then make sure you can trust > them as there are pitfalls in the most random of places (I am sure 99.9% > are ok but someone has to lose this particular lotto, hopefully not me) </div></div>Have a look at the package 'policycoreutils' which provides tools for managing SELinux. I don't think this is the same as apparmour. I could be wrong but I thought SELinux was all about implementing non-discretionary access controls. User's access to objects such as files etc is determined by who they are and what the object attributes. The control is set by the system manager and usually cannot be overriden by the user. Have a look at <a href="http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria" target="_blank">http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria</a> for more details on this. Regards, Tony. <div class="im">> > Thanks again > > Pete S > > > -- </div>Tony Arnold, Tel: <a href="tel:%2B44%20%280%29%20161%20275%206093" value="+441612756093">+44 (0) 161 275 6093</a> Head of IT Security, Fax: <a href="tel:%2B44%20%280%29%20705%20344%203082" value="+447053443082">+44 (0) 705 344 3082</a> University of Manchester, Mob: <a href="tel:%2B44%20%280%29%20773%20330%200039" value="+447733300039">+44 (0) 773 330 0039</a> Manchester M13 9PL. Email: <a href="mailto:tony.arnold@manchester.ac.uk">tony.arnold@manchester.ac.uk</a> <div class="HOEnZb"><div class="h5"> -- <a href="mailto:ubuntu-uk@lists.ubuntu.com">ubuntu-uk@lists.ubuntu.com</a> <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk</a> <a href="https://wiki.ubuntu.com/UKTeam/" target="_blank">https://wiki.ubuntu.com/UKTeam/ <div> </div>-- <a href="https://wiki.ubuntu.com/phillw" target="_blank">https://wiki.ubuntu.com/phillw</a> </a> </div></div></blockquote></div></div>