[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SE Linux packages of login, sshd, tar, stat, findutils, fileutils, and [xkg]dm

SE Linux requires modified versions of login, sshd, tar, stat, findutils, 
fileutils [xkg]dm, and some other programs.

Once such support is compiled in they can be used on non SE-Linux systems 
without any problems.  The difference is only a few extra system calls, so it 
will add a small amount to the binary size of the packages and some more 
system calls to your strace output.

Also it will require that the selinux-dev package be installed when building 
such packages.

My opinion at the moment is that heavier programs such as kdm won't suffer 
from a small amount of extra SE-Linux code (while having an extra kdm-se 
package is a pain for everyone).  For login it makes more sense to have a 
separate login-se package so that people who don't want this functionality 
can skip it and save the disk space.  I can imagine situations where having 
even such a small overhead in /bin/login is unwanted.

Now for the other packages, which ones do you think should have a separate 
package-se version and which ones should have it merged into the base 

Of course in the end it'll come down to the decision of the package 
maintainer.  If the maintainer doesn't like it then I'll happily upload a -se 
version.  If the maintainer insists on including it then I won't try and stop 

But I'm raising the issue for discussion here to get some discussion of the 
issues (maybe there's something I'm missing that people should be aware of).

Another issue is the possibility of having a shared object with the SE-Linux 
library code, in which case we would need separate versions of all these 
packages.  I'm not sure that the upstream developers of SE-Linux (NSA and 
others) would like the idea of a shared object, but I don't think it's any 
more of a security issue than a shared libc.

Russell Coker

PS  I hope to have some test packages of SE-Linux enabled utilities on 
http://www.coker.com.au/selinux/ within 24 hours, and a complete set of 
SE-Linux Debian packages (apart from [xkg]dm) within a week.

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: