Re: Penalty of SELinux?
On Tue, Sep 25, 2007 at 03:11:39AM -0500, Mike McCarty wrote:
> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty
>> <Mike.McCarty@sbcglobal.net> said:
>>> Manoj Srivastava wrote:
>>>> On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
>>>> <Mike.McCarty@sbcglobal.net> said:
>>>>
>>>>> Manoj Srivastava wrote:
>>>>>> Firstly: Very few packages have been actively patched to link
>>>>> Something like 50 or so. ls, mv, cp, etc.
>>>> Source packages. All those are from coreutils, no?
>>> I believe so. My response was in regards to "very few". I suppose that
>>> is a subjective response. "50 or so" is not subjective.
>> My response suggests that 50 or so is inaccurate, if you count
>> source packages. It is fewer than that. Compared to 10k source
>> packages, however, even the bloated figure of 50 is "few". BTW, I
>> count 29 packages.
>
> I was using the published figure for Red Hat. They included such
> apps as ls, ps, mv, cp, etc. which are modified either to display
> or propagate attributes of processes or files.
>
>> --8<---------------cut here---------------start------------->8---
>> libselinux1 Reverse Depends:
>> coreutils cron dbus dmraid dmsetup fcron gdm gnome-user-share
>> libblkid1 libdevmapper1.02.1 libgnomevfs2-0 libnss-db libpam-modules
>> librpm4.4 logrotate loop-aes-utils lvm2 mount nautilus openssh-server
>> passwd policycoreutils prelink rpm sysvinit sysvinit-utils udev
>> util-linux xdm
>> --8<---------------cut here---------------end--------------->8---
>
> So, ls can't display the extended attributes of the files?
> And ps can't display the attributes of the processes?
> And find can't be used selectively to find files based on
> the extended attributes?
That is it. The extented attributes, iirc, are called the 'security
context' and IIRC they are accessed with a '-Z' option (eg. 'ls -Z').
>
>>>> Right. But a few hundred KB in memory is a smallish penalty, and
>>> More subjectivity :-)
>> All opinions are subjective.
>
> Naturally.
>
>>>> even 708 old hardware seems to be running it fine for me.
>>> My objection is to having on my machine at all.
>> Feel free to create your own apt sources are where you
>> specifically override the defaults you do not like. This is the only
>> recourse for those of us who do not like some aspect of the
>> distribution, and care enough to take the effort to fork out own
>> packages (I do my own kernel, uml, emacs. gnus, et. al packages)
>
> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since
> it is a source distro most of the work would be easier in that
> case, perhaps.
There are 2 approaches to application security that I am aware of:
app-armour and SELinux. Debian has SELinux, although Ubuntu now has
both and seems to be favouring app-armour for some odd reason that I
have not investigated. If Ubuntu continue, it could be another rift
with unknown consequences. I have read about more distros supporting
SELinux than app-armour. I have also read some on SELinux and of the
discussions of it on -devel and seem to think its the way to go.
Hopefully sometime in the near future we will have either a targeted or
strict policy that is usable for average web server use in one or two
releases that is not as complicated as it is now. IIRC the folks on that
mission include Manoj and Eric Shubert. who I wish well on that AVC
filled road.
Cheers,
K
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|
Reply to: