Re: Should selinux be standard?
On Tue, Sep 16 2008, Julien Cristau wrote:
> I just tried booting with selinux=1 on my laptop. I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime
> is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73.
> Looks like it's not ready for prime time to me.
Firstly, what policy are you using? Has you machine been updated
to actually compile/load the policy? (Like a number of packages,
SELinux does need some configuration).
Secondly, if you are indeed using selinux-policy-default, and
have a properly labelled file system, and are still experiencing
problems, have you filed a bug? At the very least, people who see avc
denials on a properly configured machine should send me and russell a
copy of their warning messages; this will help ensure that these bugs
go away.
Lastly, even running in permissive mode, since the policy is not
yet perfect, if the volume of messages is reduced, leeping an eye on
xconsole and the AVC messages is a useful indication of unusual
activity on your machine.
Yes, I call the permissinve mode AVC denial messages a useful
feature, and audit2allow enables people to locally shut up spurious AVC
messages so the real ones do not get lost in the forest, until the
default policy is updated in response to the bug report filed.
At this point, we are so close -- and I would rather go ahead
and finish polishing off the remaining lacunae, than regress to not
having SELinux at all.
While we have not reached the level required for strict policy,
I think we are close to having targeted policy work out of the box. The
last bit of work to make it work for lenny can be done, especially if
people help identify the problem areas.
manoj
--
Q: Are we not men? A: We are Vaxen.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: