[Wine] Crazy (and just maybe awesome) idea: Winux

[James McKenzie]

oiaohm wrote:
> I know tripwire.  Biggest flaw its not real time. fanotify will allow that to be changed at least part of the way for file-system operations.  Second big problem with tripwire is false positives.
>
> SELinux guarding services you most of the time don't even notice.  Since distributions who did the SELinux system did it right in the first place.    Yes SELinux has 3 basic modes.  Off, Limited protection ie protect only items like services and god darn paranoid.
>
>   
SELinux is also a product of the National Security Agency of the United
States Government.   They have a reason to lock down computers to
prevent unauthorized use.  Unfortunately, not every system administrator
is willing or has the knowledge to properly configure it.  That is why
most folks don't like it.  If you set it up properly, then you don't get
'surprises'.  Sort of like setting up Windows Vista UAE on Full/High. 
Real pain.
> God darm paranoid is what most people know and fear.  Selinux has some reasonable front ends out there these days.  No more annoying that putting up with zonealarm on windows.
>   
And we should all be paranoid.  Yes, they are really out to get you and
your computer.  They will then do bad things with it. 
> There is also smack if you don't particularly like Selinux both are peer reviewed.
>
>   
And that is only the half of it. 
> Martin I have never had a DBMS system I have not been able to make work with SELinux.   Note SELinux programmers concidered everything.  SELinux profile writers don't always.  http://sourceforge.net/projects/segatex/ makes correcting policies quite simple.
>   
SELinux, as originally developed, was not designed for this.  However,
you do have a valid complaint.  RDBMS systems should be able to operate
with SELinux running at full strength.  That is why it is there.
> http:~user/...   I have done that stuff with selinux in place.   Some distributions have it work from the start line.   There is a learning mode you can setup for selinux these days for odd ball problems.
>
>   
SELinux should work with web servers in non-secure and secure modes.  It
should work with Tomcat publishing dynamic pages as well.
> Its part having the right tools for the job Martin.
>
> MS released an so called anti-virus that used CRC32 checksums back in the WFW 3.11 time frame .  Only one problem CRC32 checksums could be colided simply so it was rendered useless.
>   
It was also a joke.  You could fake the CRC32 of a file and keep on
going.  There was a contest to see who could infect the most files. 
Microsoft pulled it after this was demonstrated.  Fortunately, not many
folks relied on it either.

However, and relating this to Wine.  SELinux should not, if properly
configured, affect any user-space application that is behaving.  It is
when we decide to do things like host DNS servers on it that problems
should occur, and rightfully so.  We should be able to use Web Browsers
and other Internet facing applications.  Oracle clients should be able
to run on it, with minor configuration changes (SELinux does not
normally allow high to high connections, but the world famous port for
Oracle is in the high port range.)

And the added security should not be a security blanket either.  SELinux
is just another level of host based security.  If you are really
paranoid, you can run a complete suite of applications.  Anti-virus,
anti-spy ware, and other programs as well as SELinux.  Unfortunately,
Wine does not run anti-virus programs very well, if at all.  However,
anti-spy ware programs should run on Wine.  That is the start of the
battle against the 'bad' guys who only want to steal the use of your
system for their needs...

BTW, Macs are also subject to this type of piracy as well.
James McKenzie