Re: SELinux on Squeeze?

To: russell@coker.com.au
Cc: debian-security@lists.debian.org
Subject: Re: SELinux on Squeeze?
From: Laurentiu Pancescu <lpancescu@googlemail.com>
Date: Fri, 30 Dec 2011 15:06:14 +0100
Message-id: <[🔎] 4EFDC556.8050707@googlemail.com>
In-reply-to: <[🔎] 201112310015.30479.russell@coker.com.au>
References: <[🔎] 4EFD71F0.2040803@googlemail.com> <[🔎] 201112310015.30479.russell@coker.com.au>

Hello Russell,

is there any difference between i386 and amd64 as to how much protectionSELinux is able to provide? Earlier, stuff like NX was only available on64-bit processors; are there still such differences?


On 12/30/11 14:15 , Russell Coker wrote:

The support is quite good.  I run a bunch of Squeeze servers with SE Linux.

That's encouraging. I saw the wiki page was also edited by you aroundApril 2010, I guess I'll give it another try.

As for Lenny, I expect if you added appropriate entries to /etc/modules or
used audit2allow you would have got it working.

It didn't occur to me to add anything to /etc/modules, but I did try toadd the rules suggested by audit2allow. It compiled the policy, I addedit, but it still didn't work - I probably did something wrong (I hadonly read the wiki page before and skimmed through the Fedora 5 SELinuxFAQ). I gave up after a day or so, it was my only system and couldn'twork. I should have read more before jumping in - mea culpa. Is thereany other documentation about SELinux except the one linked from thewiki, your blog and the NSA paper? Do any Debian administration booksaddress SELinux?

I can't imagine what the benefit would be in using "official" packages that I
created and uploaded to Debian over using "unofficial" packages that I created
and couldn't get in a Squeeze update because the changes would be too great or
I didn't get time to go through the process of applying for them to be put in
an update.

Well, your post a few hours ago about getting hacked (in taz's thread)scared me into thinking that the official packages might be safer... :)OTOH, I know you used to have a public SELinux server with root accessfor anyone to try, so I guess it can't be _that_ bad.

You will need to label those web server binaries as httpd_exec_t, use
"semanage fcontext -a" to prevent a restorecon operation from undoing such
changes.  Also you might need to generate some extra policy with audit2allow
if they happen to do something different to Apache.  But the potential policy
changes should be quite small, there really isn't much that Apache doesn't do.
In many ways Apache could be regarded as the most complex daemon that we
support in Debian.  According to SE Linux policy the MTAs are the only
competition for that.

Thanks, I'll try that in a VM first, with your "unofficial" packages.

P.S. Russell, if you are reading this, lots and lots of thanks for the
years of work on SELinux under Debian - I think we would have probably
never got SELinux on Debian without your efforts.

I'm glad you appreciate it.

Debian was the first distribution to support SE Linux.

I didn't know that, one associates SELinux mostly with RedHat-baseddistros nowadays.

I remember first considering SELinux after the hacking of a few Debianservers some years ago; the post-mortem analysis mentioned that SELinuxwould have prevented it and recommended enabling it if possible (was itWouter's blog?). I also remember Manoj fought quite hard to get SELinuxincluded by default in Debian, but many developers opposed it beingactive by default, like in Fedora. Too bad.


Thanks,
Laurentiu

Reply to:

Follow-Ups:
- Re: SELinux on Squeeze?
  - From: Russell Coker <russell@coker.com.au>

References:
- SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>
- Re: SELinux on Squeeze?
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: SELinux on Squeeze?
Next by Date: Re: SELinux on Squeeze?
Previous by thread: Re: SELinux on Squeeze?
Next by thread: Re: SELinux on Squeeze?
Index(es):
- Date
- Thread