SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm
SE Linux requires modified versions of login, sshd, tar, stat, findutils,
fileutils [xkg]dm, and some other programs.
Once such support is compiled in they can be used on non SE-Linux systems
without any problems. The difference is only a few extra system calls, so it
will add a small amount to the binary size of the packages and some more
system calls to your strace output.
Also it will require that the selinux-dev package be installed when building
such packages.
My opinion at the moment is that heavier programs such as kdm won't suffer
from a small amount of extra SE-Linux code (while having an extra kdm-se
package is a pain for everyone). For login it makes more sense to have a
separate login-se package so that people who don't want this functionality
can skip it and save the disk space. I can imagine situations where having
even such a small overhead in /bin/login is unwanted.
Now for the other packages, which ones do you think should have a separate
package-se version and which ones should have it merged into the base
functionality?
Of course in the end it'll come down to the decision of the package
maintainer. If the maintainer doesn't like it then I'll happily upload a -se
version. If the maintainer insists on including it then I won't try and stop
them.
But I'm raising the issue for discussion here to get some discussion of the
issues (maybe there's something I'm missing that people should be aware of).
Another issue is the possibility of having a shared object with the SE-Linux
library code, in which case we would need separate versions of all these
packages. I'm not sure that the upstream developers of SE-Linux (NSA and
others) would like the idea of a shared object, but I don't think it's any
more of a security issue than a shared libc.
Russell Coker
PS I hope to have some test packages of SE-Linux enabled utilities on
http://www.coker.com.au/selinux/ within 24 hours, and a complete set of
SE-Linux Debian packages (apart from [xkg]dm) within a week.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to:
- Follow-Ups:
- Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm
- From: Giacomo Catenazzi <cate@debian.org>
- Re: SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm
- From: Aaron Lehmann <aaronl@vitelus.com>