On Tue, Jun 01, 2004 at 09:07:59PM -0400, Kevin F. Berrien wrote: > Date: Tue, 01 Jun 2004 21:07:59 -0400 > From: "Kevin F. Berrien" <kblists@xxxxxxxxxxx> > To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> > Subject: Re: Firewall - Very limited Access - suggestions > Reply-To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> > > Well, given the lack of "easy" options (which is probably a good > thing). I'm going to have to build a script from hand. This way I'll > understand it, and know its RIGHT. Actually, I've been mistating my > project as a bastion firewall, when I really meant a choke firewall. > This will seperate our WAN (with its own bastion) from the Police Dept > LAN. SElinux sounds like a good idea, but I think I'll take smaller > steps first. SElinux is not as hard to turn on and work with as some will tell you. The default policy is relaxed and provides a context to tighten, restrict, restrain or isolate things. The hard part will be building a local policy. It it gets in the way toggle to permissive mode and the log messages will help discover what needs to be fixed. In /etc/security/selinux/src/policy you will find about four hundred files that address policy for most interesting functions in FC2. Examples: ./file_contexts/program/rpm.fc ./domains/program/rpm.te ./file_contexts/program/qmail.fc # lots more... Once you have the default policy activated (permissive or enforcing) there is a framework to begin working with. You can postpone working on local policy extension for a long time and take advantage of simple auditing. Start in permissive mode! -- T o m M i t c h e l l /dev/dull the destination for posts like this.
