Notes from MerriLUG, 17-April-2008: Dan Walsh and SELinux

[Ted Roche]

Eleven people attended the April meeting of MerriLUG, the Merrimack 
Valley chapter of the Greater New Hampshire Linux User Group. Heather 
called the meeting to order at 7:30 PM, noted the that attendees were 
pretty much The Usual Suspects, and dispensed with the long-winded 
announcements for new members. http://www.gnhlug.org will tell you all 
you want to know.

Dan Walsh [1] was the main presenter tonight. Dan had a very special
visit from the Demo Gods, just before he was to start. His hard drive
decided that his boot partition wasn't. Never heard of ext3. Ouch. Ever 
the good showman, he borrowed my laptop, downloaded his presentations 
from the web [2], and put on a great show.

Dan mentioned that he'd lost his previous laptop during his recent tour
in Europe when it was stolen and that maintaining your home directory
encrypted [3] was a Good Idea.

Dan reviewed the history of SELinux and the iterations we saw in Fedora
3 though 8 and RHEL 3 through 5 and what to expect in 9. He talked about
the evolution of the policies, the different feature sets available, how
the SELinux architecture can meet the stringent requirements of DoD
level organizations (with bullet points like: "RHEL5: MSP Policy: EAL4+,
LSPP, RBAC" - who wouldn't be impressed?) to the Significant Others at
home who really just want a machine to use the browser on.

Dan showed off the new kiosk policy, xguest [4], which was essentially a
minimal-permissions user (no setuid, no executables in the home
directory, no installation abilities, etc.) extended to run FireFox. 
Perfect when someone wants to borrow your machine for a second! In
the default settings (installable in F8 or 9 with sudo yum install
xguest), it creates a fairly 'safe' user that can't do a lot of harm and
whose directories are temporary RAM-based and vanish when the user logs
out. (You can modify it to keep a persistent home to store cookies and 
bookmarks.) Ideal for a library or public kiosk situations. Yes, the 
evil minded boys in the room could come up with some work-around 
exploits, but this is a promising start!

Thanks to Dan for a great presentation under trying circumstances, to
Heather Brodeur and Jim Kuzdrall for managing and promoting the
meetings, to Martha's Exchange for providing the facilities, and to all
who attended and participated.

[1] http://people.redhat.com/~dwalsh/
[2] http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/
[3] http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems
[4] http://fedoraproject.org/wiki/Interviews/SELinux?highlight=%28xguest%29
-- 

Ted Roche
Ted Roche & Associates, LLC
http://www.tedroche.com