Re: Does anyone use SELinux on their zLinux platforms?
The user settings are defined on each server. All SELinux settings are currently only stored on each server. There appears to be some research and testing into methods to have a central server but that is not in the mainstream yet. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 4:12 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? One last question, I am trying to understand where the SELinux settings for a user are stored, like the User Statements with the assigned roles stored for SELinux? Same question on the defined Roles and Role Statements? Does SELinux User mapping have to be defined on each server? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 11:08 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are not currently using LDAP for any SELinux information. We use LDAP for normal Linux/unix authentication values like uid, gid, home, etc... We also have sudo using LDAP for its rules so we do not have a sudoers file in /etc and can control it from a central location. We also control which host a given ID is allowed to log on to from the LDAP. The password used is the RACF password because we have enabled the LDAP server to use RACF for password validation. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 10:53 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? Kevin, That sounds like the direction that I am currently trying to promote at our worksite. I have one question with authentication. With LDAP, are you going against RACF for the password and the user Statements with the related Roles and role statements, where are these stored? Are you able to use LDAP as the central location for these values on zOS for all Linux users and servers to access them from? We are not using LDAP, as we have CA's eTrust Top Secret at our shop on the zOS security package. We are using a different tool to retrieve user password, uid gid from Top Secret at our shop. At this time, CA has stated that they are not supporting SELinux values, but are considering this for the future. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 10:36 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are currently implementing Red Hat Linux 5.5 with SELinux enabled. We are using LDAP on z/OS for the authentication. There are some things we had to learn about SELinux before we could successfully install some products and some vendors do not help much. We install third party software with SELinux in permissive mode which, with setroubleshootd enabled, allows you to see what would cause a failure when in enforcing mode. This allows you to correct the SELinux rules so the product works correctly and gives you something to beat on the vendor with. Most products that we are using either do not require changes or have minimal changes. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 9:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Does anyone use SELinux on their zLinux platforms? Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http
Does anyone use SELinux on their zLinux platforms?
Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Does anyone use SELinux on their zLinux platforms?
We are currently implementing RedHat Linux 5.5 with SELinux enabled. We are using LDAP on z/OS for the authentication. There are some things we had to learn about SELinux before we could successfully install some products and some vendors do not help much. We install third party software with SELinux in permissive mode which, with setroubleshootd enabled, allows you to see what would cause a failure when in enforcing mode. This allows you to correct the SELinux rules so the product works correctly and gives you something to beat on the vendor with. Most products that we are using either do not require changes or have minimal changes. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 9:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Does anyone use SELinux on their zLinux platforms? Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Does anyone use SELinux on their zLinux platforms?
Kevin, That sounds like the direction that I am currently trying to promote at our worksite. I have one question with authentication. With LDAP, are you going against RACF for the password and the user Statements with the related Roles and role statements, where are these stored? Are you able to use LDAP as the central location for these values on zOS for all Linux users and servers to access them from? We are not using LDAP, as we have CA's eTrust Top Secret at our shop on the zOS security package. We are using a different tool to retrieve user password, uid gid from Top Secret at our shop. At this time, CA has stated that they are not supporting SELinux values, but are considering this for the future. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 10:36 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are currently implementing Red Hat Linux 5.5 with SELinux enabled. We are using LDAP on z/OS for the authentication. There are some things we had to learn about SELinux before we could successfully install some products and some vendors do not help much. We install third party software with SELinux in permissive mode which, with setroubleshootd enabled, allows you to see what would cause a failure when in enforcing mode. This allows you to correct the SELinux rules so the product works correctly and gives you something to beat on the vendor with. Most products that we are using either do not require changes or have minimal changes. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 9:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Does anyone use SELinux on their zLinux platforms? Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Does anyone use SELinux on their zLinux platforms?
We are not currently using LDAP for any SELinux information. We use LDAP for normal Linux/unix authentication values like uid, gid, home, etc... We also have sudo using LDAP for its rules so we do not have a sudoers file in /etc and can control it from a central location. We also control which host a given ID is allowed to log on to from the LDAP. The password used is the RACF password because we have enabled the LDAP server to use RACF for password validation. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 10:53 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? Kevin, That sounds like the direction that I am currently trying to promote at our worksite. I have one question with authentication. With LDAP, are you going against RACF for the password and the user Statements with the related Roles and role statements, where are these stored? Are you able to use LDAP as the central location for these values on zOS for all Linux users and servers to access them from? We are not using LDAP, as we have CA's eTrust Top Secret at our shop on the zOS security package. We are using a different tool to retrieve user password, uid gid from Top Secret at our shop. At this time, CA has stated that they are not supporting SELinux values, but are considering this for the future. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 10:36 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are currently implementing Red Hat Linux 5.5 with SELinux enabled. We are using LDAP on z/OS for the authentication. There are some things we had to learn about SELinux before we could successfully install some products and some vendors do not help much. We install third party software with SELinux in permissive mode which, with setroubleshootd enabled, allows you to see what would cause a failure when in enforcing mode. This allows you to correct the SELinux rules so the product works correctly and gives you something to beat on the vendor with. Most products that we are using either do not require changes or have minimal changes. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 9:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Does anyone use SELinux on their zLinux platforms? Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Does anyone use SELinux on their zLinux platforms?
One last question, I am trying to understand where the SELinux settings for a user are stored, like the User Statements with the assigned roles stored for SELinux? Same question on the defined Roles and Role Statements? Does SELinux User mapping have to be defined on each server? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 11:08 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are not currently using LDAP for any SELinux information. We use LDAP for normal Linux/unix authentication values like uid, gid, home, etc... We also have sudo using LDAP for its rules so we do not have a sudoers file in /etc and can control it from a central location. We also control which host a given ID is allowed to log on to from the LDAP. The password used is the RACF password because we have enabled the LDAP server to use RACF for password validation. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 10:53 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? Kevin, That sounds like the direction that I am currently trying to promote at our worksite. I have one question with authentication. With LDAP, are you going against RACF for the password and the user Statements with the related Roles and role statements, where are these stored? Are you able to use LDAP as the central location for these values on zOS for all Linux users and servers to access them from? We are not using LDAP, as we have CA's eTrust Top Secret at our shop on the zOS security package. We are using a different tool to retrieve user password, uid gid from Top Secret at our shop. At this time, CA has stated that they are not supporting SELinux values, but are considering this for the future. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company Department of Homeland Security/U.S. Customs Border Protection -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of George, Kevin A Sent: Friday, July 15, 2011 10:36 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: Does anyone use SELinux on their zLinux platforms? We are currently implementing Red Hat Linux 5.5 with SELinux enabled. We are using LDAP on z/OS for the authentication. There are some things we had to learn about SELinux before we could successfully install some products and some vendors do not help much. We install third party software with SELinux in permissive mode which, with setroubleshootd enabled, allows you to see what would cause a failure when in enforcing mode. This allows you to correct the SELinux rules so the product works correctly and gives you something to beat on the vendor with. Most products that we are using either do not require changes or have minimal changes. Kevin George Compuware / U.S. Office of Personnel Management -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Friday, July 15, 2011 9:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Does anyone use SELinux on their zLinux platforms? Does anyone have SELinux up and running as their RBAC security on a zLinux server? I am also curious to know how the have user authentication set up, are they using files (/etc/passwd) LDAP, NIS, PAM or other methods. I am on the learning curve here and would like to hear user experiences as I move forward. I welcome the good, bad and the ugly of comments on this topic. James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, a CA Technologies Company -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
