[CLUE-Tech] The NSA's version of Linux...
Joseph A. Nagy, Jr.
jnagyjr at joseph-a-nagy-jr.us
Thu Nov 4 11:36:01 MST 2004
On Thu, Nov 04, 2004 at 09:20:16AM -0700, Matt Gushee wrote the following:
> On Thu, Nov 04, 2004 at 06:50:34AM -0600, Joseph A. Nagy, Jr. wrote:
> > On Thu, Nov 04, 2004 at 12:48:41AM -0800, Tony M. wrote the following:
> > > Damn, everyones got a distro now.
> > >
> > > http://www.nsa.gov/selinux/index.cfm
> >
> > Technically SELinux is just a kernel patch, you can apply it to any kernel.
> > Gentoo has a USE flag that allows you to set up an SELinux enabled Gentoo
> > box.
>
> Kevin Fenzi discussed this in his security presentation last month
> (unfortunately, nothing posted on the Web at this point). In response to
> some people's natural concerns about using code from a spy agency, he
> mentioned that a number of uber-kernel-hackers had reviewed the patch
> very carefully and given it the thumbs-up.
>
> Actually, I now have a kernel with SELinux enabled. One of the
> interesting things about it is that it allows you to grant privileges in
> a more selective way than you could before. I'm using it for to provide
> low-latency performance for audio applications. The way it works is, you
> have a kernel with SELinux enable + "security capabilities" built as a
> module. Then you add the third-party realtime-lsm module; you can load
> it with a user or group id as a parameter, e.g.:
>
> modprobe realtime gid=29
>
> Then any member of group #29 has access to the realtime clock. Thus, you
> no longer have to have any programs setuid root for RTC access. Pretty
> cool, huh?
What I'm worried about with SELinux is really messing up my
workstation/server. I wish I had a viable box to test it on, but my other
two computers are kaput.
--
AIM: pres CTHULHU | ICQ: 18115568 | Yahoo: pagan_prince
Jabber: DarkKnightRadick@(jabber.org|amessage.at) | Libertarian @ Large
PGP: CF7EAA67 | < http://groups.yahoo.com/group/tennesseans-for-badnarik/ >
< http://mc-luug.homelinux.org/mailman/listinfo/mc-luug >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20041104/dae09e52/attachment.bin
More information about the clue-tech
mailing list