[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Making SELinux standard for etch

On Sat, 7 Oct 2006 01:56:53 +0200, Hendrik Sattler <debian@hendrik-sattler.de> said: 

> Am Samstag 07 Oktober 2006 00:35 schrieb Manoj Srivastava:
>> We are at a point where we can support a targeted SELinux  policy,
>> at least in permissive mode.  Everything seems to work for  me; I
>> can fire up targeted SELinux UML's and only see a few harmless  log
>> messages.

> What do those look like? How many is "few"?

        What do they look like? Well, here is the dhcp3 client leaking
 file descriptors:
audit(1159892211.134:26): avc:  denied  { read write } for  pid=1656 comm="ifconfig" name="[8186]" dev=sockfs ino=8186 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:dhcpc_t tclass=udp_socket

        I need about 4 dontaudit rules in the policy to shut things up

>>         I brought this over on the debian-installer mailing list,
>> and  suggested that we ship SELinux installed, but turned off by
>> default;  and a README or a short shell script fr the local
>> administrator to  enable SELinux.  Our support at this point is
>> better in some respects  to any other distribution (selecting and
>> installing modular policy  modules, for instance). All the core
>> packages support SELinux (unlike  in, say, Ubuntu).

> Well, most users have enough to find out what groups they must be in
> for fully working desktop (>= 8). How many will use _any_ SELinux
> feature? Those that know that they need it, know how to install it.

        It is easier to turn on something that is already installed;
 we can add commented out lines to /etc/pam.d/login, for example, and
 tell  people to just uncomment the commented lines in place.
 Shipping SELinux packages, even disabled, lowers the barrier of entry;
 we also will learn of any negative interactions early.

        Turning SELinux on can be as simple as executing a simple
 shell script, + editing grub.conf. Installing SELinux from scratch it
 far more daunting -- just ask around to see how many developers have
 done it.

> Maybe you can enlighten me what the average Debian user will gain
> from SELinux?

        Err, security for any daemon they run? Postfix? sendmail?
 bind? apache2? ppp? amanda? hal? logwatch? automount? ircd?

        A significant number of security modules are relevant on any
 end user system.  Given the bloat of GNOME and KDE, I am pretty sure
 end user systems are not the problem installs -- the disk space usage
 is more than negated the first time any user runs gnome and creates a
 ~/.gnome which is likely to be bigger than the whole SELinux

Dogs just don't seem to be able to tell the difference between
important people and the rest of us.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: