[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Penalty of SELinux?

Manoj Srivastava wrote:
On Tue, 25 Sep 2007 03:11:39 -0500, Mike McCarty <Mike.McCarty@sbcglobal.net> said: 

[snip]


packages. It is fewer than that.  Compared to 10k source packages,
however, even the bloated figure of 50 is "few". BTW, I count 29
packages.



I was using the published figure for Red Hat. They included such apps
as ls, ps, mv, cp, etc. which are modified either to display or
propagate attributes of processes or files.


        ls is not a package. ls comes from coreutils. Normal


I didn't say it was. You used the word "package". I used the word
"app". If each "package" has two "apps" then we get close to 50,
I think.


 applications need zero modification under SELinux. Some applications


I didn't claim anything like what you say here.

[snip]


 which manage security may need to be made SELinux-aware,   although
 this can often be done with PAM plugins, which is a standard way to do
this kind of thing in modern Unix & Linux OSs. 
It would take more than just kernel, of course. I am investigating
LFS. Gentoo seems to have accepted SELinux as well, though since it is
a source distro most of the work would be easier in that case,
perhaps.


        Not really.  You'll have to unpatch a whole bunch of gentoo
 source packages. And gentoo is further along than us with respect to
 security policy integration -- the keeper of the SELinux security
 policy is a gentoo core developer.


As I said, it might be a good starting place. If the patching of
the source is done right, it's dependent upon a define anyway.
I don't have high hopes for that. "Unpatching" is not difficult,
as there are diff tools which can do that automatically if one
has the original source. Providing that back to Gentoo, along
with a polite request, might get access to original source.

If, as you say, the changes are "small", then pulling the
unmodified sources for those things which are changed
for SELinux should not be difficult. Since one is going to
build from source anyway, then the rest is a shoe in.

I'm not so sure the changes are "small".

If Gentoo is not amenable, then there's SLAX, which I believe
does not have SELinux.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
Reply to: