1 |
Hi, |
2 |
|
3 |
Tóth Attila wrote: |
4 |
> I'm about to set up a new box. It'll run Hardened Gentoo (suprise!) - what |
5 |
> else? |
6 |
> Beside providing usual services (ssh, mail, etc.), it would also function |
7 |
> as a (uhm..) desktop (i know, i know...). |
8 |
> I'm hesitating between Grsec and SELinux. |
9 |
> I'm already quite familiar with Grsec, but I have just some limited |
10 |
> knowledge and experience on SELinux. IMHO, a regular desktop system should |
11 |
> also have effective security features enforced nowdays. |
12 |
> Has anybody running xorg on an SELinux box (i know, i know)? |
13 |
> |
14 |
> Are there any working policies for, or has anybody ever sucessfully used |
15 |
> the following list of deamons?sendmail |
16 |
> dovecot |
17 |
> (cyrus-imapd?) |
18 |
|
19 |
not sure about sendmail as I don't use it, but the other two don't have a gentoo policy. |
20 |
there is policy available for them on the selinux.sf.net CVS. |
21 |
a quick view here: |
22 |
|
23 |
http://dev.gentoo.org/~kaiowas/policy/nsa/domains/program/unused/cyrus.te |
24 |
http://dev.gentoo.org/~kaiowas/policy/nsa/domains/program/unused/dovecot.te |
25 |
http://dev.gentoo.org/~kaiowas/policy/nsa/file_contexts/program/cyrus.fc |
26 |
http://dev.gentoo.org/~kaiowas/policy/nsa/file_contexts/program/dovecot.fc |
27 |
|
28 |
> spamd |
29 |
> clamd |
30 |
|
31 |
I use these two on a production server so their policy should be up-to-date. |
32 |
courier-imap is also supported if you hesitate about cyrus-imapd. |
33 |
|
34 |
> BTW, which MTA suit would you recommend to use with SELinux? |
35 |
|
36 |
we have policy for qmail and postfix |
37 |
|
38 |
> Should I stick to my good old Grsec RBAC policy if I hope for desktop |
39 |
> functionality? |
40 |
|
41 |
some have reported success with the not-yet-supported x11 policy. |
42 |
you can test it to see if it fits |
43 |
|
44 |
http://dev.gentoo.org/~kaiowas/distfiles/selinux-x11-[get_the_latest] |
45 |
|
46 |
szia, |
47 |
peter |
48 |
|
49 |
-- |
50 |
petre rodan |
51 |
<kaiowas@g.o> |
52 |
Developer, |
53 |
Hardened Gentoo Linux |