[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian / SE-Linux

Russell Coker wrote:


What are Gentoo and RedHat (which you cite as supporting SElinux by
default) doing in this regard?

For Gentoo everything is compiled at install time. I imagine that if you have SE Linux enabled then things are compiled differently, but I have not checked. I have CC'd the leader of the Hardened Gentoo project and I'm sure that he'll be able to give a good description of what they are doing.

In most cases we apply patches to packages if the user is using the selinux profile, for example
        use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}
is pretty standard for applications that do not have selinux support upstream. For applications which do have support upstream and merely need a configure argument to enable it we simply do that
	use selinux && myconf = "${myconf} --with-selinux"
or whatever.

In either case we add libselinux as an optional dependancy, This gives selinux users all the support they need without doing anything to non-selinux users, this is obviously different from what redhat and debian will have to do since the packages are preconfigured to either support it or not.


Yes. However it's not quite that bad. SE Linux policy is easier to analyse, I have on several occasions spotted security flaws in applications by the policy that's needed to run them. The applications in question were run by many people for quite some time without the bugs apparently being noticed by anyone (or at least not anyone who wanted them fixed). But they were easy to notice in SE Linux policy.

*note* this isn't necessarilly my concern but I'll just say that I can't see package maintainers handling policy, I don't have experience with debian devs but I know that it would be very difficult to persuade daemon maintainers to do anything at all with policies, let alone trust them to make a proper least privledge policy. It could be a security disaster to try and maintain a decentralized policy repository maintained by packagers that don't have a clue about security, access control or the selinux policy language.

In Gentoo we have policy packages in our tree, sec-policy/selinux-apache for example, which is an optional dependancy of apache (if they use has selinux enabled). The advantage is that the apache policy can be updataed without the entire policy being updated, the disadvantage is that the fc's aren't available when apache is installing and being labeled unless the policy is rebuilt and reloaded beforehand. Portage has the ability to *optionally* rebuild and reload the policy after installing new policy files.


Joshua Brindle

Reply to: