Re: SELinux on Squeeze?
Hello Russell,
is there any difference between i386 and amd64 as to how much protection
SELinux is able to provide? Earlier, stuff like NX was only available on
64-bit processors; are there still such differences?
On 12/30/11 14:15 , Russell Coker wrote:
The support is quite good. I run a bunch of Squeeze servers with SE Linux.
That's encouraging. I saw the wiki page was also edited by you around
April 2010, I guess I'll give it another try.
As for Lenny, I expect if you added appropriate entries to /etc/modules or
used audit2allow you would have got it working.
It didn't occur to me to add anything to /etc/modules, but I did try to
add the rules suggested by audit2allow. It compiled the policy, I added
it, but it still didn't work - I probably did something wrong (I had
only read the wiki page before and skimmed through the Fedora 5 SELinux
FAQ). I gave up after a day or so, it was my only system and couldn't
work. I should have read more before jumping in - mea culpa. Is there
any other documentation about SELinux except the one linked from the
wiki, your blog and the NSA paper? Do any Debian administration books
address SELinux?
I can't imagine what the benefit would be in using "official" packages that I
created and uploaded to Debian over using "unofficial" packages that I created
and couldn't get in a Squeeze update because the changes would be too great or
I didn't get time to go through the process of applying for them to be put in
an update.
Well, your post a few hours ago about getting hacked (in taz's thread)
scared me into thinking that the official packages might be safer... :)
OTOH, I know you used to have a public SELinux server with root access
for anyone to try, so I guess it can't be _that_ bad.
You will need to label those web server binaries as httpd_exec_t, use
"semanage fcontext -a" to prevent a restorecon operation from undoing such
changes. Also you might need to generate some extra policy with audit2allow
if they happen to do something different to Apache. But the potential policy
changes should be quite small, there really isn't much that Apache doesn't do.
In many ways Apache could be regarded as the most complex daemon that we
support in Debian. According to SE Linux policy the MTAs are the only
competition for that.
Thanks, I'll try that in a VM first, with your "unofficial" packages.
P.S. Russell, if you are reading this, lots and lots of thanks for the
years of work on SELinux under Debian - I think we would have probably
never got SELinux on Debian without your efforts.
I'm glad you appreciate it.
Debian was the first distribution to support SE Linux.
I didn't know that, one associates SELinux mostly with RedHat-based
distros nowadays.
I remember first considering SELinux after the hacking of a few Debian
servers some years ago; the post-mortem analysis mentioned that SELinux
would have prevented it and recommended enabling it if possible (was it
Wouter's blog?). I also remember Manoj fought quite hard to get SELinux
included by default in Debian, but many developers opposed it being
active by default, like in Fedora. Too bad.
Thanks,
Laurentiu
Reply to: