On Mon, Nov 29, 2021, 10:27 PM Tom Dial <tdd...@comcast.net> wrote: > > > On 11/29/21 17:19, Nicholas Geovanis wrote: > > On Mon, Nov 29, 2021, 5:14 PM James H. H. Lampert < > jam...@touchtonecorp.com <mailto:jam...@touchtonecorp.com>> wrote: > > > > .... And the only > > reason ROOT access is more dangerous than, say, QSECOFR access on > OS/400 > > (or whatever IBM is calling it this week) is because there's nothing > > stopping a Linux ROOT from doing things *nobody* should be allowed > to do > > without putting the system into some kind of maintenance mode. > > > > > > Well selinux stops root from doing those things. But im the only known > human who doesn't dislike selinux. And other problems I have.... > > :-D > > You are not the only one who doesn't dislike or maybe even likes selinux. > I consider it technically superior to apparmor as a mandatory access > control system, and maybe both more flexible and user-friendlier as well. I > found it generally fairly easy to find good documentation (e. g., Red Hat). >
Redhat's doc is probably the best. But they ship it in several pre-configured but non-complete base configurations. Like their "targeted mode". And I expect those who originated it, some still employed at USNSA, also > think well of it, along with the current maintainers and likely enough > quite a few other users. > The "rainbow books" are freely available on Google books nowadays. They were NCSC (NSA) guidelines for highly secure govt systems. I implemented B1 level security (Orange book, Green book) (MAC like selinux) in 1990 in Unix OS's. Went thru the evaluation process with them. Regards, > Tom Dial > > > > > > > ....... > > -- > > JHHL > > > >
