* New to list @ 2001-02-26 18:22 Mark Lucas 2001-02-26 19:14 ` Jose Nazario 2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day 0 siblings, 2 replies; 4+ messages in thread From: Mark Lucas @ 2001-02-26 18:22 UTC (permalink / raw) To: selinux Just signed up on the list. We are building BeoWulf clusters as geospatial rendering engines and are working with several government agencies in the process. I'm hoping that we can apply the excellent work of this group towards improving our system and satisfying the various security concerns as our systems begin to integrate with various secure networks. We are currently running RH 6.2, but plan on remaining current with the major releases (will probably wait for 7.1 and the 2.4 kernel for the next upgrade). Have there been a specific modifications with regards to clusters? How difficult is it going to be to upgrade as new releases appear? We host http://www.remotesensing.org which hosts open source development for remote sensing and GIS. One project that may be of interest to this group is the Configuration File Management (CFM) system. This will remotely manage configuration files on heterogeneous systems, report discrepancies and correct the configuration files if required. It is open source and we have used it in our business to successfully manage the configuration of internal and external machines. Looking forward to working with the group. Mark -- ********************** Mark R Lucas Chief Technical Officer ImageLinks Inc. 4450 W Eau Gallie Blvd Suite 164 Melbourne Fl 32934 321 253 0011 (work) 321 253 5559 (fax) mlucas@imagelinks.com ********************** -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: New to list 2001-02-26 18:22 New to list Mark Lucas @ 2001-02-26 19:14 ` Jose Nazario 2001-02-26 20:49 ` Clusters and SELinux (was Re: New to list) Chuck Watson 2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day 1 sibling, 1 reply; 4+ messages in thread From: Jose Nazario @ 2001-02-26 19:14 UTC (permalink / raw) To: Mark Lucas; +Cc: selinux On Mon, 26 Feb 2001, Mark Lucas wrote: > Just signed up on the list. We are building BeoWulf clusters as > geospatial rendering engines and are working with several government > agencies in the process. I'm hoping that we can apply the excellent > work of this group towards improving our system and satisfying the > various security concerns as our systems begin to integrate with > various secure networks. hi mark i've built a beowulf, i do a lot of high performance computing in my line of work. and honestly, aside from the perimeter, i can't see any advantage to using SELinux or any similar facility for clustered computing. file access can be guarded using standard UNIX DACLs to a sufficient level. if you're not finding this to be true, i would imagine you're not toying with them enough. rarely do users need to access system portions in their calculations or computing that cannot be handled within the kernel using normal Beowulf structures (ie shared memory). as for the gateway, again, some tight normal UNIX DACLs and good firewall rules and you should be set. we never had a problem with users requiring system access to get to usable portions of the cluster. i'm also a bit familiar (though not as much as many on this list, to be sure) with SELinux and what i tdoes, too. i love it, but i just don't see it being applicable in a situation like this. however, maybe i'm looking at this in way too limited a view. i'd be happy to hear how you want to apply it. ____________________________ jose nazario jose@cwru.edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Clusters and SELinux (was Re: New to list) 2001-02-26 19:14 ` Jose Nazario @ 2001-02-26 20:49 ` Chuck Watson 0 siblings, 0 replies; 4+ messages in thread From: Chuck Watson @ 2001-02-26 20:49 UTC (permalink / raw) To: Jose Nazario, Mark Lucas; +Cc: selinux Hello everyone - We are currently experimenting with SELinux on our backup cluster console, as well as playing with various job control and submission methods. We have two 32 processor Beowulfs running meteorological hazard models (some stuff is on-line at http://www.methaz.com/wxdata/tracking; there is a small storm that just made landfall in northern Australia). We want to restrict access to some kinds of model runs and output data for a variety of reasons, such as, for instance, confidential insurance data. Currently sensitive work is on the "off network" cluster, and the physically connected only long enough to transmit data to the transfer site. I agree with Jose that the place for security is at the cluster console, job summission machine, or perimeter. Our compute nodes are as clean as we can possibly make them for performance reasons, and are on their own subnet off of the console anyway, as with most clusters. I'm not sure what the performance hit would be using SELinux on the compute nodes, but in most fluid dynamic models every clock cycle counts. On our net, the only machine available to the even the inside world is the console, which would be the point of external attack unless someone physically breaks in (and the compute nodes are headless, so unless they cart the whole thing off in a truck, again the console is the place to worry). Chuck Jose Nazario wrote: > On Mon, 26 Feb 2001, Mark Lucas wrote: > > > Just signed up on the list. We are building BeoWulf clusters as > > geospatial rendering engines and are working with several government > > agencies in the process. I'm hoping that we can apply the excellent > > work of this group towards improving our system and satisfying the > > various security concerns as our systems begin to integrate with > > various secure networks. > > hi mark > > i've built a beowulf, i do a lot of high performance computing in my line > of work. and honestly, aside from the perimeter, i can't see any advantage > to using SELinux or any similar facility for clustered computing. > > file access can be guarded using standard UNIX DACLs to a sufficient > level. if you're not finding this to be true, i would imagine you're not > toying with them enough. > > rarely do users need to access system portions in their calculations or > computing that cannot be handled within the kernel using normal Beowulf > structures (ie shared memory). > > as for the gateway, again, some tight normal UNIX DACLs and good firewall > rules and you should be set. we never had a problem with users requiring > system access to get to usable portions of the cluster. > > i'm also a bit familiar (though not as much as many on this list, to be > sure) with SELinux and what i tdoes, too. i love it, but i just don't see > it being applicable in a situation like this. > > however, maybe i'm looking at this in way too limited a view. i'd be happy > to hear how you want to apply it. > > ____________________________ > jose nazario jose@cwru.edu > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > > -- > You have received this message because you are subscribed to the selinux list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -- Chuck Watson Watson Technical Consulting cwatson@methaz.com http://www.methaz.com/ (912) 663-1254 The purpose of computing is insight, not numbers. -- Hamming -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
* How is 2.4.x progressing? 2001-02-26 18:22 New to list Mark Lucas 2001-02-26 19:14 ` Jose Nazario @ 2001-03-09 19:09 ` Johnathon Day 1 sibling, 0 replies; 4+ messages in thread From: Johnathon Day @ 2001-03-09 19:09 UTC (permalink / raw) To: selinux Hi, Long time, no post. Thought I'd drop a note and ask how the port to Linux 2.4.x was progressing. Also, wondering if SE Linux made any use of the International Patch, if installed. (SE Linux might not use crypto, but I'd be amazed if it never used secure hash functions.) Also, to go back to the IPSec question, NIST's Cerberus IPSec was/is either funded by, or partially developed by the NSA, if I'm reading the documents rightly. However, it was said (more than once) on this list that SE Linux will -probably- use FreeSWAN. My question here is not whether that is technically the right decision (FreeSWAN is evolving, Cerberus is stagnating), but whether the SE Linux core team is going to be free to make it. I could just be over-anxious, here, but I don't know of many PHB's who will pay to develop one product, and then use a "competitors". Any reassurance on this would be greatfully received. Jonathan Day -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-03-09 19:04 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2001-02-26 18:22 New to list Mark Lucas 2001-02-26 19:14 ` Jose Nazario 2001-02-26 20:49 ` Clusters and SELinux (was Re: New to list) Chuck Watson 2001-03-09 19:09 ` How is 2.4.x progressing? Johnathon Day
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.