Re: Should selinux be standard?

To: Josselin Mouette <joss@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Should selinux be standard?
From: Manoj Srivastava <srivasta@debian.org>
Date: Tue, 16 Sep 2008 13:05:33 -0500
Message-id: <[🔎] 87wshcufte.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: Josselin Mouette <joss@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20080916124509.GA3999@patate.is-a-geek.org> (Julien Cristau's message of "Tue, 16 Sep 2008 14:45:09 +0200")
References: <[🔎] 20080914090810.GA7965@deprecation.cyrius.com> <[🔎] 200809141240.30196.elendil@planet.nl> <[🔎] 200809142132.45183.russell@coker.com.au> <[🔎] 1221567133.4261.12.camel@shizuru> <[🔎] 20080916124509.GA3999@patate.is-a-geek.org>

On Tue, Sep 16 2008, Julien Cristau wrote:

> I just tried booting with selinux=1 on my laptop.  I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2.  Uptime
> is about 20 minutes, and dmesg|grep -c 'avc:  denied' returns 73.
> Looks like it's not ready for prime time to me.

        Hmm.
__> dpkg -l | egrep '^ii' | wc -l
4431
__> uptime
 12:56:01 up  1:31,  2 users,  load average: 0.46, 0.28, 0.20
__> audit2allow < /var/log/messages | egrep -v '(^$)|(^#)'  | wc -l
9
__>  audit2allow < /var/log/messages | egrep -v '(^$)|(^#)' 
allow avahi_t httpd_t:dbus send_msg;
allow hald_t pcscd_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t system_dbusd_t:dbus send_msg;
allow insmod_t lib_t:file execute_no_trans;
allow mdadm_t device_t:blk_file { read ioctl };
allow mdadm_t file_t:dir search;
allow pcscd_t hald_t:dbus send_msg;
allow pcscd_t system_dbusd_t:dbus send_msg;

        I have not tried to boot into enforcing mode, but I am not sure
 which of these are actually needed, and which can safely be denied
 anyway. So, 9 missing lines in policy, out of which 6 are about dbus.
 Russell is probably way better than I to try to resolve these issues,
 but I'll see what I can do to help.

        I have apache2, I run emacs (an OS by itself), I run iceweasel
 in a 32-bit chroot. I have modified udev to automagically mount my
 ipod/rockbox.

        I humbly posit that this is pretty close to working now (for my
 development box, in default mode).

        manoj
-- 
"Go! And never darken my towels again!" --Groucho Marx, "Duck Soup".
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: Should selinux be standard?
  - From: Franklin PIAT <fpiat@bigfoot.com>
- Re: Should selinux be standard?
  - From: Josselin Mouette <joss@debian.org>

References:
- Should selinux be standard?
  - From: Martin Michlmayr <tbm@cyrius.com>
- Re: Should selinux be standard?
  - From: Frans Pop <elendil@planet.nl>
- Re: Should selinux be standard?
  - From: Russell Coker <russell@coker.com.au>
- Re: Should selinux be standard?
  - From: Josselin Mouette <joss@debian.org>
- Re: Should selinux be standard?
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: Should selinux be standard?
Next by Date: Headsup: ncurses soname bump 5 to 6
Previous by thread: Re: Should selinux be standard?
Next by thread: Re: Should selinux be standard?
Index(es):
- Date
- Thread