[nylug-talk] Weakest Links
Chris Knadle
Chris.Knadle at coredump.us
Wed Sep 5 16:26:25 EDT 2007
On Tuesday 04 September 2007, Ajai Khattri wrote:
> On Fri, 31 Aug 2007, Chris Knadle wrote:
> > "Hi, this is Firefox, can you go and modify my .rc file in
> > <so-in-so> way, so that the next time I'm started the preferences you
> > just set will be active?"
> > Nobody [in their right mind] would want something this restrictive,
> > because it becomes too hard to use.
>
> Therein lies the crux of the problem - using a more complicated security
> model without tools to make it easy result in a system harder to use.
Yeah, there are certain GUI tools that I like which make admin easier,
particularly ones that output files that can be used on systems that do not
have the GUI loaded, such as the iptables firewall script output by Guarddog.
> > I'm in agreement there. Unfortunately SELinux [and other such
> > restrictive security models] are relatively complex. I've played around
> > SELinux some on Debian with their targeted reference policy. Need to
> > play with it more.
>
> Anyone played with polgengui (graphical selinux policy generator)? Im
> thinking something like this could be used to generate profiles for common
> attack vectors like web browsers, email software, etc.
>
> http://tinyurl.com/2hn9nc
I haven't been able to find source code [even in RPM form] for polgengui
thusfar in order to install it on Debian. It looks interesting, as it too
outputs a policy which is usable without having to install the GUI, but for
now it seems like the tool was specifically designed for RedHat 5.
The SELinux policy GUI I can find in Debian is part of the setools
package -- apol.
-- Chris
--
Chris Knadle
Chris.Knadle at coredump.us
More information about the nylug-talk
mailing list