Re: SELinux on Squeeze?

To: debian-security@lists.debian.org
Cc: Laurentiu Pancescu <lpancescu@googlemail.com>
Subject: Re: SELinux on Squeeze?
From: Russell Coker <russell@coker.com.au>
Date: Sat, 31 Dec 2011 00:15:30 +1100
Message-id: <[🔎] 201112310015.30479.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 4EFD71F0.2040803@googlemail.com>
References: <[🔎] 4EFD71F0.2040803@googlemail.com>

On Fri, 30 Dec 2011, Laurentiu Pancescu <lpancescu@googlemail.com> wrote:
> I would like to harden a web server setup using SELinux. How good is the
> support for SELinux on Squeeze? Are the instructions on the Debian Wiki
> [1] up to date for Squeeze? I tried this last time on Lenny, and DHCP
> couldn't work back then due to SELinux not letting modprobe load
> additional modules.

The support is quite good.  I run a bunch of Squeeze servers with SE Linux.

As for Lenny, I expect if you added appropriate entries to /etc/modules or 
used audit2allow you would have got it working.

> I'll only need Postfix, OpenSSH and nginx (or Cherokee - just static
> content for now). Are the official policy packages from Squeeze enough
> for such a setup, or should I always use Russel's repository? I had the
> impression Russel's changes are rather needed for a desktop, with fixes
> for mplayer and similar packages (I prefer using only "official" Debian
> packages, unless forced otherwise).

I can't imagine what the benefit would be in using "official" packages that I 
created and uploaded to Debian over using "unofficial" packages that I created 
and couldn't get in a Squeeze update because the changes would be too great or 
I didn't get time to go through the process of applying for them to be put in 
an update.

You will need to label those web server binaries as httpd_exec_t, use 
"semanage fcontext -a" to prevent a restorecon operation from undoing such 
changes.  Also you might need to generate some extra policy with audit2allow 
if they happen to do something different to Apache.  But the potential policy 
changes should be quite small, there really isn't much that Apache doesn't do.  
In many ways Apache could be regarded as the most complex daemon that we 
support in Debian.  According to SE Linux policy the MTAs are the only 
competition for that.

I have made more than a few changes to my "unofficial" policy packages that 
are specific to server operation, one that I recall is better support for 
NAGIOS.

> P.S. Russell, if you are reading this, lots and lots of thanks for the
> years of work on SELinux under Debian - I think we would have probably
> never got SELinux on Debian without your efforts.

I'm glad you appreciate it.

Debian was the first distribution to support SE Linux.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

Follow-Ups:
- Re: SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>
- Re: SELinux on Squeeze?
  - From: Holger Levsen <holger@layer-acht.org>

References:
- SELinux on Squeeze?
  - From: Laurentiu Pancescu <lpancescu@googlemail.com>

Prev by Date: SELinux on Squeeze?
Next by Date: Re: SELinux on Squeeze?
Previous by thread: SELinux on Squeeze?
Next by thread: Re: SELinux on Squeeze?
Index(es):
- Date
- Thread