[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SELinux on Squeeze?



Hello Russell,

is there any difference between i386 and amd64 as to how much protection SELinux is able to provide? Earlier, stuff like NX was only available on 64-bit processors; are there still such differences?

On 12/30/11 14:15 , Russell Coker wrote:
The support is quite good.  I run a bunch of Squeeze servers with SE Linux.
That's encouraging. I saw the wiki page was also edited by you around April 2010, I guess I'll give it another try.
As for Lenny, I expect if you added appropriate entries to /etc/modules or
used audit2allow you would have got it working.
It didn't occur to me to add anything to /etc/modules, but I did try to add the rules suggested by audit2allow. It compiled the policy, I added it, but it still didn't work - I probably did something wrong (I had only read the wiki page before and skimmed through the Fedora 5 SELinux FAQ). I gave up after a day or so, it was my only system and couldn't work. I should have read more before jumping in - mea culpa. Is there any other documentation about SELinux except the one linked from the wiki, your blog and the NSA paper? Do any Debian administration books address SELinux?
I can't imagine what the benefit would be in using "official" packages that I
created and uploaded to Debian over using "unofficial" packages that I created
and couldn't get in a Squeeze update because the changes would be too great or
I didn't get time to go through the process of applying for them to be put in
an update.
Well, your post a few hours ago about getting hacked (in taz's thread) scared me into thinking that the official packages might be safer... :) OTOH, I know you used to have a public SELinux server with root access for anyone to try, so I guess it can't be _that_ bad.
You will need to label those web server binaries as httpd_exec_t, use
"semanage fcontext -a" to prevent a restorecon operation from undoing such
changes.  Also you might need to generate some extra policy with audit2allow
if they happen to do something different to Apache.  But the potential policy
changes should be quite small, there really isn't much that Apache doesn't do.
In many ways Apache could be regarded as the most complex daemon that we
support in Debian.  According to SE Linux policy the MTAs are the only
competition for that.
Thanks, I'll try that in a VM first, with your "unofficial" packages.
P.S. Russell, if you are reading this, lots and lots of thanks for the
years of work on SELinux under Debian - I think we would have probably
never got SELinux on Debian without your efforts.
I'm glad you appreciate it.

Debian was the first distribution to support SE Linux.
I didn't know that, one associates SELinux mostly with RedHat-based distros nowadays.

I remember first considering SELinux after the hacking of a few Debian servers some years ago; the post-mortem analysis mentioned that SELinux would have prevented it and recommended enabling it if possible (was it Wouter's blog?). I also remember Manoj fought quite hard to get SELinux included by default in Debian, but many developers opposed it being active by default, like in Fedora. Too bad.

Thanks,
Laurentiu



Reply to: