Re: Making SELinux standard for etch

To: debian-devel@lists.debian.org
Subject: Re: Making SELinux standard for etch
From: Manoj Srivastava <srivasta@debian.org>
Date: Fri, 06 Oct 2006 19:27:50 -0500
Message-id: <[🔎] 878xjtufzt.fsf@glaurung.internal.golden-gryphon.com>
In-reply-to: <[🔎] 200610070156.59441.debian@hendrik-sattler.de> (Hendrik Sattler's message of "Sat\, 7 Oct 2006 01\:56\:53 +0200")
References: <[🔎] 87mz89ul6z.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 200610070156.59441.debian@hendrik-sattler.de>

On Sat, 7 Oct 2006 01:56:53 +0200, Hendrik Sattler <debian@hendrik-sattler.de> said: 

> Am Samstag 07 Oktober 2006 00:35 schrieb Manoj Srivastava:
>> We are at a point where we can support a targeted SELinux  policy,
>> at least in permissive mode.  Everything seems to work for  me; I
>> can fire up targeted SELinux UML's and only see a few harmless  log
>> messages.

> What do those look like? How many is "few"?

        What do they look like? Well, here is the dhcp3 client leaking
 file descriptors:
audit(1159892211.134:26): avc:  denied  { read write } for  pid=1656 comm="ifconfig" name="[8186]" dev=sockfs ino=8186 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:dhcpc_t tclass=udp_socket

        I need about 4 dontaudit rules in the policy to shut things up
 completely. 

>>         I brought this over on the debian-installer mailing list,
>> and  suggested that we ship SELinux installed, but turned off by
>> default;  and a README or a short shell script fr the local
>> administrator to  enable SELinux.  Our support at this point is
>> better in some respects  to any other distribution (selecting and
>> installing modular policy  modules, for instance). All the core
>> packages support SELinux (unlike  in, say, Ubuntu).

> Well, most users have enough to find out what groups they must be in
> for fully working desktop (>= 8). How many will use _any_ SELinux
> feature? Those that know that they need it, know how to install it.


        It is easier to turn on something that is already installed;
 we can add commented out lines to /etc/pam.d/login, for example, and
 tell  people to just uncomment the commented lines in place.
 Shipping SELinux packages, even disabled, lowers the barrier of entry;
 we also will learn of any negative interactions early.

        Turning SELinux on can be as simple as executing a simple
 shell script, + editing grub.conf. Installing SELinux from scratch it
 far more daunting -- just ask around to see how many developers have
 done it.

> Maybe you can enlighten me what the average Debian user will gain
> from SELinux?

        Err, security for any daemon they run? Postfix? sendmail?
 bind? apache2? ppp? amanda? hal? logwatch? automount? ircd?

        A significant number of security modules are relevant on any
 end user system.  Given the bloat of GNOME and KDE, I am pretty sure
 end user systems are not the problem installs -- the disk space usage
 is more than negated the first time any user runs gnome and creates a
 ~/.gnome which is likely to be bigger than the whole SELinux
 subsystem.

        manoj
-- 
Dogs just don't seem to be able to tell the difference between
important people and the rest of us.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: Making SELinux standard for etch
  - From: Christian Perrier <bubulle@debian.org>
- Re: Making SELinux standard for etch
  - From: Uwe Hermann <uwe@hermann-uwe.de>

References:
- Making SELinux standard for etch
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Making SELinux standard for etch
  - From: Hendrik Sattler <debian@hendrik-sattler.de>

Prev by Date: Re: Making SELinux standard for etch
Next by Date: Re: Making SELinux standard for etch
Previous by thread: Re: Making SELinux standard for etch
Next by thread: Re: Making SELinux standard for etch
Index(es):
- Date
- Thread