[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should selinux be standard?

On Tue, Sep 16 2008, Julien Cristau wrote:

> I just tried booting with selinux=1 on my laptop.  I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2.  Uptime
> is about 20 minutes, and dmesg|grep -c 'avc:  denied' returns 73.
> Looks like it's not ready for prime time to me.

        Firstly, what policy are you using? Has you machine been updated
 to actually compile/load the policy? (Like a number of packages,
 SELinux does need some configuration).

        Secondly, if you are indeed using selinux-policy-default, and
 have a properly labelled file system, and are still experiencing
 problems, have you filed a bug? At the very least, people who see avc
 denials on a properly configured machine should send me and russell a
 copy of their warning messages;  this will help ensure that these bugs
 go away.

        Lastly, even running in permissive mode, since the policy is not
 yet perfect, if the  volume of messages is reduced, leeping an eye on
 xconsole and the AVC messages is a useful indication of unusual
 activity on your machine.

        Yes, I call the permissinve mode AVC denial messages a useful
 feature, and audit2allow enables people to locally shut up spurious AVC
 messages so the real ones do not get lost in the forest, until the
 default policy is updated in  response to the bug report filed.

        At this point, we are so close -- and I would rather go ahead
 and finish polishing off the remaining lacunae, than regress to not
 having SELinux at all.

        While we have not reached  the level required for strict policy,
 I think we are close to having targeted policy work out of the box. The
 last bit of work to make it work for lenny can be done, especially if
 people help identify the problem  areas.


Q: Are we not men? A: We are Vaxen.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: