Re: LSM-based systems and debian packages

To: Andreas Barth <aba@not.so.argh.org>, debian-security@lists.debian.org
Subject: Re: LSM-based systems and debian packages
From: Russell Coker <russell@coker.com.au>
Date: Mon, 1 Dec 2003 07:06:39 +1100
Message-id: <[🔎] 200312010706.39652.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031130172735.GA13839@mails.so.argh.org>
References: <[🔎] 20031130172735.GA13839@mails.so.argh.org>

On Mon, 1 Dec 2003 04:27, Andreas Barth <aba@not.so.argh.org> wrote:
> Is it possible for me as a package maintainer to specifiy the needed
> rights for "my" programms in a way that as much systems as possible
> can use these without the need for a sysadmin to change anything? Or
> would each LSM-based system need it's own configuration? And if so,
> which should be supported by a package, and how?

There will be support in RPM for packages that contain SE Linux policy.  For 
Debian such support will come later (if at all) as the plan is to centrally 
manage all policy for free software, and it's not difficult to apply custom 
policy for non-free software.

There are patches for cron, xdm type programs, procps, psmisc, pam, and 
logrotate for SE Linux which will hopefully get accepted into Debian packages 
soon.

> What I would even like more is a HOWTO "What a debian package
> maintainer should do to support LSM-based security-systems properly"
> (and this should become part of the Developers Reference). I'm willing
> to create a template of such a HOWTO in parallel to adding support to
> LSM to my packages, if I can; and this would mean that someone with
> knowledge would be willing to guide me, and answer my (partly very
> unknowing) questions about a lot of more or less simple things.

The best thing at the moment is to do things that are good for security even 
on non-SE Linux machines.  Don't have the daemon re-write it's own config 
files in /etc.  Have a separate process to access password files and 
manipulate data from them.  Don't copy files into a chroot for every 
invocation (Postfix is difficult because of this), or if you must copy such 
files around then make it easy to discover where it is to modify the process 
(Postfix startup scripts are difficult to understand and manage).

Documentation on exactly what cron jobs do would be good too, as they are 
particularly painful to get right.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: LSM-based systems and debian packages
  - From: Andreas Barth <aba@not.so.argh.org>

References:
- LSM-based systems and debian packages
  - From: Andreas Barth <aba@not.so.argh.org>

Prev by Date: Re: Time for apt-secure?
Next by Date: Re: Security patches
Previous by thread: LSM-based systems and debian packages
Next by thread: Re: LSM-based systems and debian packages
Index(es):
- Date
- Thread