Re: Debian / SE-Linux

To: russell@coker.com.au
Cc: debian-devel@lists.debian.org, Matthew Palmer <mpalmer@debian.org>
Subject: Re: Debian / SE-Linux
From: Joshua Brindle <method@gentoo.org>
Date: Fri, 14 May 2004 01:09:27 -0500
Message-id: <[🔎] 40A46297.2060109@gentoo.org>
In-reply-to: <[🔎] 200405141543.06324.russell@coker.com.au>
References: <[🔎] 20040513105635.GH2989@lkcl.net> <[🔎] 20040513121806.GA20854@hezmatt.org> <[🔎] 200405141543.06324.russell@coker.com.au>

Russell Coker wrote:

<snip>

What are Gentoo and RedHat (which you cite as supporting SElinux by
default) doing in this regard?
For Gentoo everything is compiled at install time. I imagine that if you haveSE Linux enabled then things are compiled differently, but I have notchecked. I have CC'd the leader of the Hardened Gentoo project and I'm surethat he'll be able to give a good description of what they are doing.

In most cases we apply patches to packages if the user is using theselinux profile, for example

        use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}

is pretty standard for applications that do not have selinux supportupstream. For applications which do have support upstream and merelyneed a configure argument to enable it we simply do that

	use selinux && myconf = "${myconf} --with-selinux"
or whatever.

In either case we add libselinux as an optional dependancy, This givesselinux users all the support they need without doing anything tonon-selinux users, this is obviously different from what redhat anddebian will have to do since the packages are preconfigured to eithersupport it or not.


<snip>

Yes. However it's not quite that bad. SE Linux policy is easier to analyse,I have on several occasions spotted security flaws in applications by thepolicy that's needed to run them. The applications in question were run bymany people for quite some time without the bugs apparently being noticed byanyone (or at least not anyone who wanted them fixed). But they were easy tonotice in SE Linux policy.

*note* this isn't necessarilly my concern but I'll just say that I can'tsee package maintainers handling policy, I don't have experience withdebian devs but I know that it would be very difficult to persuadedaemon maintainers to do anything at all with policies, let alone trustthem to make a proper least privledge policy. It could be a securitydisaster to try and maintain a decentralized policy repositorymaintained by packagers that don't have a clue about security, accesscontrol or the selinux policy language.

In Gentoo we have policy packages in our tree, sec-policy/selinux-apachefor example, which is an optional dependancy of apache (if they use hasselinux enabled). The advantage is that the apache policy can beupdataed without the entire policy being updated, the disadvantage isthat the fc's aren't available when apache is installing and beinglabeled unless the policy is rebuilt and reloaded beforehand. Portagehas the ability to *optionally* rebuild and reload the policy afterinstalling new policy files.


<snip>

Joshua Brindle

Reply to:

References:
- Debian / SE-Linux
  - From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
- Re: Debian / SE-Linux
  - From: Matthew Palmer <mpalmer@debian.org>
- Re: Debian / SE-Linux
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Debian / SE-Linux
Next by Date: bagatelle ammonium
Previous by thread: Re: Debian / SE-Linux
Next by thread: Re: Debian / SE-Linux
Index(es):
- Date
- Thread