In the continuing story of "gee I should be able to do this;" I tried SELinux and have now figured out that this is more than a one week process.
I managed to load Fedora Core 2 and get it running.
Got rid of all the stuff I didn't need.
Started the lock down process and found that I made this system soooo secure that even root could not modify it. Well, I'm sure that isn't how it's supposed to work. I sure of this because nothing works.

Starting again tommorrow.

What I have learned.
1. Never rely on a RAID 5 drive for virtual memory. If you are going to use RAID 5 add enough RAM so swap or VM is not needed. The writing and reading of the parity bit adds to much delay. According IBM this is not an issue with mirroring or RAID 0.

2. IBM servers do not come with PS2 ports. You need a breakout cable not included to add a keyboard, mouse and monitor. Of course you can chain 22 servers together; but the first server needs that $64.00 cable.

3. Spamassassin takes 2.5 sec to read an e-mail and forever to deliver mail.

4. NSA needs to issue an iso for the security impaired; ME!

I will let the world know how this goes but I see crashing systems all around me.

The tech support guys at IBM must be bored out of their minds; or they think this is a neat idea, or they are laughing their biblical donkeys off. Not sure which.

Fedora is ok but you need the SGI patch for the kernel, so you can create an XFS filesystem (works better than ext3 and reisers doesn't work).

Security should not be this difficult.

Got the kernel and supporting software here.

http://www.nsa.gov/selinux/code/download5.cfm

Your tax dollars at work. I wonder if Ms. Rice knows about this?

You picked a good one, with out a doubt the most secure OS on the planet. Hope you have plenty of Linux experience alredy I understand it is difficult to work with.

Grapped "Securing and Optimizing Linux" fom this site.
http://www.tldp.org/guides.html This pdf is worth its weight (once printed) in gold.
The saga continues.

NSA supplies tarballs so reinstalling Fedora so I have the tools necessary to build my own kernel.

I have a feeling that the moderators might need to clean up my potty typing.

netman4ttm,LOL, you wrote

Started the lock down process and found that I made this system soooo secure that even root could not modify it. Well, I'm sure that isn't how it's supposed to work. I sure of this because nothing works

Oh, man LOFL!

I thought windows was a nightmare to configure, at least it is a GUI.

I spect 5 or six hours TWICE setting up a super secure configuration, only to not be able to sign in on reboot, not enough priviledges ROFLMAO!! And forget about booting to the command prompt, I never had so many access denieds in my life!

I can only just imagine what YOU went through to set it up on that kernal, yikes LOL

I throw all my furniture off the balcony when I can't take it anymore hahahaaaaaaaaaa (just kidding, but it helps me laugh thinking about it)

Here to give moral support, netman4ttm :O)

The saga continues.
1.The 2.6 kernel adds some twists to this tale.
2. Know your motherboard, you will be asked about it.
3. They have gone back to building the net filters inside the kernel. The modules are gone. When in doubt answer yes to the security questions.
4. When asked if you want the SElinux developement option answer yes. That way SELinux starts in permissive mode. Paragraph 10, page 5 of the README which you only get to see when you open the tarball. And to be really honest who ever reads the README's anyway.
5. make dep is no longer needed.
6.The following are SELinux aware:
a: Fedora 2 (the SELinux kernel was built against this distro)
b: Debian
c: Gentoo
d: SuSE
So how am I doing?
The 3rd install starts tonight.
What I have learned
The install program for 2.6 is different than for 2.4
make config (ans the questions)
make
make module_install
make install

NOTE BENE no make modules in this formula.

Do not remove the original kernel or the headers until you are absolutely sure you have this kernel installed.
In Securing and Optimizing that is the recommended procedure. Do it after you are happy with what you have. Same holds true for the modules.

Make sure you can boot with GRUB; Lilo is not available.

This falls under how stupid do you have to be before you realize what's going on!!!

To run selinux under Fedora Core 2 you only have to install it.

At the boot prompt for the first install from cd type
linux selinux

when you get to the firewall configuration page look in the lower right hand corner and change the selinux configuration to warn.

You now have installed selinux, in permissive mode

Welcome to the first few lines of the audit trail.

I am working my way through the Fedora Core SELinux Faq.

Oddly, webmin works connecting remotely but nothing works locally.

Aug 5 07:51:25 couger kernel: audit(1091692243.708:0): avc: denied { search } for pid=453 exe=/usr/bin/rhgb name=var dev=hda3 ino=97345 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091692246.367:0): avc: denied { search } for pid=479 exe=/bin/bash name=var dev=hda3 ino=97345 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091692250.487:0): avc: denied { search } for pid=480 exe=/usr/lib/vte/gnome-pty-helper name=var dev=hda3 ino=97345 scontext=system_u:system_r:rhgb_gph_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.778:0): avc: denied { create } for pid=650 exe=/sbin/lvm.static name=archive scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:lvm_etc_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.788:0): avc: denied { search } for pid=650 exe=/sbin/lvm.static name=var dev=hda3 ino=97345 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.789:0): avc: denied { write } for pid=650 exe=/sbin/lvm.static name=var dev=hda3 ino=97345 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.789:0): avc: denied { add_name } for pid=650 exe=/sbin/lvm.static name=lock scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.789:0): avc: denied { create } for pid=650 exe=/sbin/lvm.static name=lock scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706657.815:0): avc: denied { read } for pid=650 exe=/sbin/lvm.static name=lvm dev=hda3 ino=132008 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706658.506:0): avc: denied { read } for pid=650 exe=/sbin/lvm.static name=dri dev=hda3 ino=1121950 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706658.509:0): avc: denied { search } for pid=650 exe=/sbin/lvm.static name=dri dev=hda3 ino=1121950 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:dri_device_t tclass=dir
Aug 5 07:51:25 couger kernel: audit(1091706659.769:0): avc: denied { search } for pid=650 exe=/sbin/lvm.static dev= ino=1 scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:devpts_t tclass=dir
Aug 5 07:51:52 couger kernel: audit(1091706712.845:0): avc: denied { unix_read unix_write } for pid=455 exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=shm
Aug 5 07:51:52 couger kernel: audit(1091706712.845:0): avc: denied { read write } for pid=455 exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=shm
Aug 5 07:51:52 couger kernel: audit(1091706712.845:0): avc: denied { use } for pid=455 path=/SYSV00000000 (deleted) dev= ino=98305 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=fd
Aug 5 07:51:52 couger kernel: audit(1091706712.845:0): avc: denied { read write } for pid=455 path=/SYSV00000000 (deleted) dev= ino=98305 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:tmpfs_t tclass=file
Aug 5 07:51:52 couger kernel: audit(1091706712.845:0): avc: denied { getattr associate } for pid=455 exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=shm
Aug 5 07:52:02 couger kernel: audit(1091706722.531:0): avc: denied { read } for pid=2056 exe=/sbin/consoletype path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:52:02 couger kernel: audit(1091706722.531:0): avc: denied { write } for pid=2056 exe=/sbin/consoletype path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:52:02 couger kernel: audit(1091706722.586:0): avc: denied { read } for pid=2057 exe=/sbin/iptables path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:52:02 couger kernel: audit(1091706722.586:0): avc: denied { write } for pid=2057 exe=/sbin/iptables path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:52:53 couger kernel: audit(1091706773.495:0): avc: denied { use } for pid=455 path=/SYSV00000000 (deleted) dev= ino=131073 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=fd
Aug 5 07:53:05 couger kernel: audit(1091706785.371:0): avc: denied { read } for pid=2072 exe=/sbin/iptables path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:53:05 couger kernel: audit(1091706785.371:0): avc: denied { write } for pid=2072 exe=/sbin/iptables path=pipe:[3210] dev= ino=3210 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file
Aug 5 07:52:51 couger kernel: audit(1091706771.727:0): avc: denied { use } for pid=2082 exe=/usr/bin/chfn path=/dev/pts/0 dev= ino=2 scontext=system_u:system_r:chfn_t tcontext=system_u:system_r:init_t tclass=fd

Remember the first time you ran poledit in Windows. This is worse.
Security is as follows:
1. Users
2. Files
3. Applications (for examble named needs to have permission to do what named does or it won't wotk)

Hopefully, someone at webpro has done this at least once, because things are looking a bit dismal here.

Reading everything here, plus the faqs will let everyone know how it goes.
http://www.nsa.gov/selinux/info/docs.cfm

Contributions of code or Johnny Walker accepted:^(