Re: Selinux available on 2.6.10 powerpc.deb [was: powerpc 2.6.10-2 [ ... ]]
On Thu, Feb 17, 2005 at 11:56:22PM +0100, Sven Luther wrote:
> On Wed, Feb 16, 2005 at 08:51:20PM +0100, Wolfgang Pfeiffer wrote:
> > On Wed, Feb 16, 2005 at 11:55:09AM +0100, Sven Luther wrote:
> > 2.6.10 has "Selinux" support compiled in. :)
>
> Yes, indeed :
>
> #
> # Security options
> #
> CONFIG_KEYS=y
> # CONFIG_KEYS_DEBUG_PROC_KEYS is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITY_NETWORK=y
> CONFIG_SECURITY_CAPABILITIES=y
> # CONFIG_SECURITY_ROOTPLUG is not set
> CONFIG_SECURITY_SECLVL=m
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
> CONFIG_SECURITY_SELINUX_DISABLE=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> # CONFIG_SECURITY_SELINUX_MLS is not set
>
> I am not sure about this one (or other rarely used options), so i am trying to
> follow the x86 kernels on this.
------------------------
McCarty, in his SELinux Book (O'Reilly, Oct. 2004) suggests the following
settings for a SELinux enabled Kernel:
Under Code Maturity, specify:
Prompt for development and/or incomplete code/drivers
Under Device Drivers --> Character Devices, specify:
UNIX98 PTY
No Legacy (BSD) PTY support
Under File Systems, specify:
Second Extended fs support
Ext2 extended attributes
Ext2 security labels
Ext3 journalling file system support
Ext3 extended attributes
Ext3 security labels
Don't specify POSIX access control lists for either ext2 or ext3.
Under Pseudo filesystems, specify:
/dev/pts Extended Attributes
/dev/pts Security labels
Don't specify
/dev file system support
And finally, under Security options, specify:
Enable different security models
Socket and networking security hooks
Default Linux capabilities
NSA SELinux
NSA SELinux boot parameter
NSA SELinux Development support
--------------------------------
More docs, support etc.:
"Getting Started with Security Enhanced Linux: the new SE Linux":
http://www.lurking-grue.org/
There are special mailing lists for selinux:
I read in the McCarty book that a mailing-list such as the
debian-security one might be a forum for selinux related topics.
NSA list:
http://www.nsa.gov/selinux/info/list.cfm?MenuID=41.1.1.9
Fedora list:
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
And last not least:
*The* selinux book :) (Several weeks ago it was the only SELinux
primer at all that I knew about):
Bill McCarty:
SELINUX
NSA's Open Source
Security Enhanced Linux
All in all with about 238 pages. Among them more than 20 pages of
appendices and an index with about 16 pages. With short instructions
how to install the SELinux stuff on Fedora 2, Debian, Gentoo. With
some relatively short notes on Suse and RedHat Enterprise Linux:
http://www.oreilly.com/catalog/selinux/index.html
HTH
Regards
Wolfgang
--
Wolfgang Pfeiffer
http://profiles.yahoo.com/wolfgangpfeiffer
Reply to: