On Mon, Jul 1, 2013 at 12:10 PM, Chuck Frain <span dir="ltr"><<a href="mailto:chuck@chuckfrain.net" target="_blank">chuck@chuckfrain.net</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
...<br>
At the end of the talk you’ll be flying high with your new understanding<br>
of SELinux and be ready to take on the world. Next time someone says<br>
SELinux instead of having that nauseous feeling in the pit of your<br>
stomach you’ll be able to stand tall and say “Wait a minute! I saw a<br>
talk on SELinux and I know WTF its saying to me!”<br>
...<br>
About Dave Quigley<br>David Quigley started his career as a Computer Systems Researcher for<br>
the National Information Assurance Research Lab at the NSA where he<br>
worked as a member of the SELinux team. David leads the design and<br>
implementation efforts to provide Labeled-NFS support for SELinux. David<br>
has previously contributed to the open source community through<br>
maintaining the Unionfs 1.0 code base and through code contributions to<br>
various other projects ...</blockquote><div><br></div><div>Just to tack on to this ...</div><div><br></div><div>Beyond the various SELinux sessions at Summit [1] a few weeks ago, along with the RHEL Roadmap [2] I know many of you use Linux Containers (lxc). So I want to bring up another presentation you might be interested in, especially since "Security" comes up a lot when lxc are talked about.</div>
<div><br></div><div>The lxc approach has been not only a focus in Fedora, but also with using SELinux to sandbox them, the combination being planned for RHEL7 in various forms. [3] For those of you deploying the entstream (Enterprise Stream), possibly a Rentstream** (Rebuild Enterprise downStream), the latter document provides Red Hat's planned RHEL7 combined lxc + kvm strategy (not including RHEV), and how they will and won't overlap in capabilities.</div>
<div><br></div><div>And regarding David's most excellent work on NFS 4.2 Labels, there was a related presentation on NFS [4] with more information as well, a very missing piece of SELinux for Enterprise making use of NFS, such as NFS4 with GSSAPI security options (e.g., sec=krb5p). This includes a new proxy approach to keytabs in GSS-proxy, along with FedFS and other details. Combined with Identity Management (IdM) via Identity, Policy, Audit (IPA) [5], if you're using NFS and really want to get to NFS4 sec=krb5[ip] with GSSAPI security, these are developments you might be interested in.</div>
<div><br></div><div>I know many users of many distros are recommending the System Security Services Daemon (SSSD) over separate, legacy PAM/NSS modules, and some are even building the IPA Client to make integration easier as well, but the GSS-proxy might be an added solution for different systems that vary in their support.</div>
<div><br></div><div>Again, just FYI. I didn't want to detract from David's presentation, so I didn't want to talk SELinux 101. I just wanted to provide supplementary links once you get using SELinux to realize where it's going. I.e., I professionally see it most requested with kvm and, for those who use them, lxc, because no one wants users breaking out of a Hypervisor and going promiscious on network interfaces (e.g., tapping traffic/VLANs used by instances). The NFS4.x developments are also of interest, both for SELinux lables (which David is involved with) as well as GSSAPI for authorization/privacy in communication/payloads.</div>
<div><br></div><div>-- bjs</div><div><br></div><div>References: </div><div>[1] <a href="http://www.redhat.com/summit/2013/presentations/">http://www.redhat.com/summit/2013/presentations/</a></div>[2] <a href="http://rhsummit.files.wordpress.com/2013/06/dumas_w_0120_rhel_roadmap1.pdf">http://rhsummit.files.wordpress.com/2013/06/dumas_w_0120_rhel_roadmap1.pdf</a><div>
[3] <a href="http://rhsummit.files.wordpress.com/2013/06/sarathy_w_0340_secure_linux_containers_roadmap.pdf">http://rhsummit.files.wordpress.com/2013/06/sarathy_w_0340_secure_linux_containers_roadmap.pdf</a></div><div>[4] <a href="http://rhsummit.files.wordpress.com/2013/06/dickson_t_0230_evolvingimprovingredhatenterpriselinuxnfs.pdf">http://rhsummit.files.wordpress.com/2013/06/dickson_t_0230_evolvingimprovingredhatenterpriselinuxnfs.pdf</a></div>
</div><div>[5] <a href="http://rhsummit.files.wordpress.com/2013/06/saldhana_dpal_f_0945_stitching_infrastructure.pdf">http://rhsummit.files.wordpress.com/2013/06/saldhana_dpal_f_0945_stitching_infrastructure.pdf</a></div>
<div><br><div><div>**Just a term I started using so it doesn't favor any distro over another. DISCLAIMER: I hung around with the co-maintainer of Scientific Linux at Summit, and mentioned my thoughts of not calling any [R]entstream by brand name (or Red Hat(R) for that matter). I am also trying to coin the term "Free Rent" because everyone needs a place to live that is maintained long-term by others (after all, what Red Hat does is more like "maintaining," but returns the investments upstream as well), but not everyone can always afford it (e.g., companies operating in the red, instead of black).</div>
<div>"Free Rent ... in the Rentstream (Rebuilt ENTerprise downStream)"</div><div> - <a href="http://bjs-redhat.livejournal.com/5147.html">http://bjs-redhat.livejournal.com/5147.html</a></div><div><br></div><div>
<br></div>--<br>Bryan J Smith - Professional, Technical Annoyance<br>b.j.smith at <a href="http://ieee.org" target="_blank">ieee.org</a> - <a href="http://www.linkedin.com/in/bjsmith" target="_blank">http://www.linkedin.com/in/bjsmith</a><br>
<br>
</div></div>