[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Penalty of SELinux?

On Tue, 25 Sep 2007 03:11:39 -0500, Mike McCarty <Mike.McCarty@sbcglobal.net> said: 

> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty
>> <Mike.McCarty@sbcglobal.net> said:
>> 
>>> Manoj Srivastava wrote:
>>>> On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
>>>> <Mike.McCarty@sbcglobal.net> said:
>>>> 
>>>>> Manoj Srivastava wrote:
>>>>>> Firstly: Very few packages have been actively patched to link
>>>>> Something like 50 or so. ls, mv, cp, etc.
>>>> Source packages.  All those are from coreutils, no?
>> 
>>> I believe so. My response was in regards to "very few". I suppose
>>> that is a subjective response. "50 or so" is not subjective.
>> 
>> My response suggests that 50 or so is inaccurate, if you count source
>> packages. It is fewer than that.  Compared to 10k source packages,
>> however, even the bloated figure of 50 is "few". BTW, I count 29
>> packages.

> I was using the published figure for Red Hat. They included such apps
> as ls, ps, mv, cp, etc. which are modified either to display or
> propagate attributes of processes or files.

        ls is not a package. ls comes from coreutils. Normal
 applications need zero modification under SELinux. Some applications
 which manage security may need to be made SELinux-aware,   although
 this can often be done with PAM plugins, which is a standard way to do
 this kind of thing in modern Unix & Linux OSs. 


--8> ---------------cut here---------------start------------->8---
>> libselinux1 Reverse Depends: coreutils cron dbus dmraid dmsetup fcron
>> gdm gnome-user-share libblkid1 libdevmapper1.02.1 libgnomevfs2-0
>> libnss-db libpam-modules librpm4.4 logrotate loop-aes-utils lvm2
>> mount nautilus openssh-server passwd policycoreutils prelink rpm
>> sysvinit sysvinit-utils udev util-linux xdm
--8> ---------------cut here---------------end--------------->8---

> So, ls can't display the extended attributes of the files?  And ps
> can't display the attributes of the processes?  And find can't be used
> selectively to find files based on the extended attributes?

        Again, you seem to be confusing executables with packages. ls is
 not a package. (try dpkg -l ls).

        But yes, unless coreutils is patched, ls -Z would probably
 return an error.
--8<---------------cut here---------------start------------->8---
__> ls -Z .login      
-rw-r--r--  srivasta srivasta user_u:object_r:user_home_t:s0   .login
--8<---------------cut here---------------end--------------->8---


> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since it is
> a source distro most of the work would be easier in that case,
> perhaps.

        Not really.  You'll have to unpatch a whole bunch of gentoo
 source packages. And gentoo is further along than us with respect to
 security policy integration -- the keeper of the SELinux security
 policy is a gentoo core developer.

        manoj
-- 
"The real problem with SDI is that it doesn't kill anybody." Tom Neff
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: