* New to list
@ 2001-02-26 18:22 Mark Lucas
2001-02-26 19:14 ` Jose Nazario
2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day
0 siblings, 2 replies; 4+ messages in thread
From: Mark Lucas @ 2001-02-26 18:22 UTC (permalink / raw)
To: selinux
Just signed up on the list. We are building BeoWulf clusters as
geospatial rendering engines and are working with several government
agencies in the process. I'm hoping that we can apply the excellent
work of this group towards improving our system and satisfying the
various security concerns as our systems begin to integrate with
various secure networks. We are currently running RH 6.2, but plan
on remaining current with the major releases (will probably wait for
7.1 and the 2.4 kernel for the next upgrade).
Have there been a specific modifications with regards to clusters?
How difficult is it going to be to upgrade as new releases appear?
We host http://www.remotesensing.org which hosts open source
development for remote sensing and GIS. One project that may be of
interest to this group is the Configuration File Management (CFM)
system. This will remotely manage configuration files on
heterogeneous systems, report discrepancies and correct the
configuration files if required. It is open source and we have used
it in our business to successfully manage the configuration of
internal and external machines.
Looking forward to working with the group.
Mark
--
**********************
Mark R Lucas
Chief Technical Officer
ImageLinks Inc.
4450 W Eau Gallie Blvd
Suite 164
Melbourne Fl 32934
321 253 0011 (work)
321 253 5559 (fax)
mlucas@imagelinks.com
**********************
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: New to list
2001-02-26 18:22 New to list Mark Lucas
@ 2001-02-26 19:14 ` Jose Nazario
2001-02-26 20:49 ` Clusters and SELinux (was Re: New to list) Chuck Watson
2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day
1 sibling, 1 reply; 4+ messages in thread
From: Jose Nazario @ 2001-02-26 19:14 UTC (permalink / raw)
To: Mark Lucas; +Cc: selinux
On Mon, 26 Feb 2001, Mark Lucas wrote:
> Just signed up on the list. We are building BeoWulf clusters as
> geospatial rendering engines and are working with several government
> agencies in the process. I'm hoping that we can apply the excellent
> work of this group towards improving our system and satisfying the
> various security concerns as our systems begin to integrate with
> various secure networks.
hi mark
i've built a beowulf, i do a lot of high performance computing in my line
of work. and honestly, aside from the perimeter, i can't see any advantage
to using SELinux or any similar facility for clustered computing.
file access can be guarded using standard UNIX DACLs to a sufficient
level. if you're not finding this to be true, i would imagine you're not
toying with them enough.
rarely do users need to access system portions in their calculations or
computing that cannot be handled within the kernel using normal Beowulf
structures (ie shared memory).
as for the gateway, again, some tight normal UNIX DACLs and good firewall
rules and you should be set. we never had a problem with users requiring
system access to get to usable portions of the cluster.
i'm also a bit familiar (though not as much as many on this list, to be
sure) with SELinux and what i tdoes, too. i love it, but i just don't see
it being applicable in a situation like this.
however, maybe i'm looking at this in way too limited a view. i'd be happy
to hear how you want to apply it.
____________________________
jose nazario jose@cwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Clusters and SELinux (was Re: New to list)
2001-02-26 19:14 ` Jose Nazario
@ 2001-02-26 20:49 ` Chuck Watson
0 siblings, 0 replies; 4+ messages in thread
From: Chuck Watson @ 2001-02-26 20:49 UTC (permalink / raw)
To: Jose Nazario, Mark Lucas; +Cc: selinux
Hello everyone -
We are currently experimenting with SELinux on our backup cluster console, as
well as playing with various job control and submission methods. We have two 32
processor Beowulfs running meteorological hazard models (some stuff is on-line at
http://www.methaz.com/wxdata/tracking; there is a small storm that just made
landfall in northern Australia). We want to restrict access to some kinds of
model runs and output data for a variety of reasons, such as, for instance,
confidential insurance data. Currently sensitive work is on the "off network"
cluster, and the physically connected only long enough to transmit data to the
transfer site.
I agree with Jose that the place for security is at the cluster console, job
summission machine, or perimeter. Our compute nodes are as clean as we can
possibly make them for performance reasons, and are on their own subnet off of
the console anyway, as with most clusters. I'm not sure what the performance
hit would be using SELinux on the compute nodes, but in most fluid dynamic models
every clock cycle counts. On our net, the only machine available to the even the
inside world is the console, which would be the point of external attack unless
someone physically breaks in (and the compute nodes are headless, so unless they
cart the whole thing off in a truck, again the console is the place to worry).
Chuck
Jose Nazario wrote:
> On Mon, 26 Feb 2001, Mark Lucas wrote:
>
> > Just signed up on the list. We are building BeoWulf clusters as
> > geospatial rendering engines and are working with several government
> > agencies in the process. I'm hoping that we can apply the excellent
> > work of this group towards improving our system and satisfying the
> > various security concerns as our systems begin to integrate with
> > various secure networks.
>
> hi mark
>
> i've built a beowulf, i do a lot of high performance computing in my line
> of work. and honestly, aside from the perimeter, i can't see any advantage
> to using SELinux or any similar facility for clustered computing.
>
> file access can be guarded using standard UNIX DACLs to a sufficient
> level. if you're not finding this to be true, i would imagine you're not
> toying with them enough.
>
> rarely do users need to access system portions in their calculations or
> computing that cannot be handled within the kernel using normal Beowulf
> structures (ie shared memory).
>
> as for the gateway, again, some tight normal UNIX DACLs and good firewall
> rules and you should be set. we never had a problem with users requiring
> system access to get to usable portions of the cluster.
>
> i'm also a bit familiar (though not as much as many on this list, to be
> sure) with SELinux and what i tdoes, too. i love it, but i just don't see
> it being applicable in a situation like this.
>
> however, maybe i'm looking at this in way too limited a view. i'd be happy
> to hear how you want to apply it.
>
> ____________________________
> jose nazario jose@cwru.edu
> PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
Chuck Watson
Watson Technical Consulting
cwatson@methaz.com
http://www.methaz.com/
(912) 663-1254
The purpose of computing is insight, not numbers.
-- Hamming
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* How is 2.4.x progressing?
2001-02-26 18:22 New to list Mark Lucas
2001-02-26 19:14 ` Jose Nazario
@ 2001-03-09 19:09 ` Johnathon Day
1 sibling, 0 replies; 4+ messages in thread
From: Johnathon Day @ 2001-03-09 19:09 UTC (permalink / raw)
To: selinux
Hi,
Long time, no post. Thought I'd drop a note and ask how the port to
Linux 2.4.x was progressing. Also, wondering if SE Linux made any use of
the International Patch, if installed. (SE Linux might not use crypto,
but I'd be amazed if it never used secure hash functions.)
Also, to go back to the IPSec question, NIST's Cerberus IPSec was/is
either funded by, or partially developed by the NSA, if I'm reading the
documents rightly. However, it was said (more than once) on this list
that SE Linux will -probably- use FreeSWAN. My question here is not
whether that is technically the right decision (FreeSWAN is evolving,
Cerberus is stagnating), but whether the SE Linux core team is going to
be free to make it. I could just be over-anxious, here, but I don't know
of many PHB's who will pay to develop one product, and then use a
"competitors". Any reassurance on this would be greatfully received.
Jonathan Day
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-03-09 19:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-02-26 18:22 New to list Mark Lucas
2001-02-26 19:14 ` Jose Nazario
2001-02-26 20:49 ` Clusters and SELinux (was Re: New to list) Chuck Watson
2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.