Re: Debian / SE-Linux
Russell Coker wrote:
<snip>
What are Gentoo and RedHat (which you cite as supporting SElinux by
default) doing in this regard?
For Gentoo everything is compiled at install time. I imagine that if you have
SE Linux enabled then things are compiled differently, but I have not
checked. I have CC'd the leader of the Hardened Gentoo project and I'm sure
that he'll be able to give a good description of what they are doing.
In most cases we apply patches to packages if the user is using the
selinux profile, for example
use selinux && epatch ${FILESDIR}/${SELINUX_PATCH}
is pretty standard for applications that do not have selinux support
upstream. For applications which do have support upstream and merely
need a configure argument to enable it we simply do that
use selinux && myconf = "${myconf} --with-selinux"
or whatever.
In either case we add libselinux as an optional dependancy, This gives
selinux users all the support they need without doing anything to
non-selinux users, this is obviously different from what redhat and
debian will have to do since the packages are preconfigured to either
support it or not.
<snip>
Yes. However it's not quite that bad. SE Linux policy is easier to analyse,
I have on several occasions spotted security flaws in applications by the
policy that's needed to run them. The applications in question were run by
many people for quite some time without the bugs apparently being noticed by
anyone (or at least not anyone who wanted them fixed). But they were easy to
notice in SE Linux policy.
*note* this isn't necessarilly my concern but I'll just say that I can't
see package maintainers handling policy, I don't have experience with
debian devs but I know that it would be very difficult to persuade
daemon maintainers to do anything at all with policies, let alone trust
them to make a proper least privledge policy. It could be a security
disaster to try and maintain a decentralized policy repository
maintained by packagers that don't have a clue about security, access
control or the selinux policy language.
In Gentoo we have policy packages in our tree, sec-policy/selinux-apache
for example, which is an optional dependancy of apache (if they use has
selinux enabled). The advantage is that the apache policy can be
updataed without the entire policy being updated, the disadvantage is
that the fc's aren't available when apache is installing and being
labeled unless the policy is rebuilt and reloaded beforehand. Portage
has the ability to *optionally* rebuild and reload the policy after
installing new policy files.
<snip>
Joshua Brindle
Reply to: