Re: Making SELinux standard for etch
On Sat, 7 Oct 2006 01:56:53 +0200, Hendrik Sattler <debian@hendrik-sattler.de> said:
> Am Samstag 07 Oktober 2006 00:35 schrieb Manoj Srivastava:
>> We are at a point where we can support a targeted SELinux policy,
>> at least in permissive mode. Everything seems to work for me; I
>> can fire up targeted SELinux UML's and only see a few harmless log
>> messages.
> What do those look like? How many is "few"?
What do they look like? Well, here is the dhcp3 client leaking
file descriptors:
audit(1159892211.134:26): avc: denied { read write } for pid=1656 comm="ifconfig" name="[8186]" dev=sockfs ino=8186 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:dhcpc_t tclass=udp_socket
I need about 4 dontaudit rules in the policy to shut things up
completely.
>> I brought this over on the debian-installer mailing list,
>> and suggested that we ship SELinux installed, but turned off by
>> default; and a README or a short shell script fr the local
>> administrator to enable SELinux. Our support at this point is
>> better in some respects to any other distribution (selecting and
>> installing modular policy modules, for instance). All the core
>> packages support SELinux (unlike in, say, Ubuntu).
> Well, most users have enough to find out what groups they must be in
> for fully working desktop (>= 8). How many will use _any_ SELinux
> feature? Those that know that they need it, know how to install it.
It is easier to turn on something that is already installed;
we can add commented out lines to /etc/pam.d/login, for example, and
tell people to just uncomment the commented lines in place.
Shipping SELinux packages, even disabled, lowers the barrier of entry;
we also will learn of any negative interactions early.
Turning SELinux on can be as simple as executing a simple
shell script, + editing grub.conf. Installing SELinux from scratch it
far more daunting -- just ask around to see how many developers have
done it.
> Maybe you can enlighten me what the average Debian user will gain
> from SELinux?
Err, security for any daemon they run? Postfix? sendmail?
bind? apache2? ppp? amanda? hal? logwatch? automount? ircd?
A significant number of security modules are relevant on any
end user system. Given the bloat of GNOME and KDE, I am pretty sure
end user systems are not the problem installs -- the disk space usage
is more than negated the first time any user runs gnome and creates a
~/.gnome which is likely to be bigger than the whole SELinux
subsystem.
manoj
--
Dogs just don't seem to be able to tell the difference between
important people and the rest of us.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: