Re: Should selinux be standard?
On Tuesday 16 September 2008 04:14, Bastian Blank [EMAIL PROTECTED] wrote: This cost me over one hour as bind lacks proper error messages in this code path. Has that bug in bind (inadequate error reporting) been fixed? -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
Sorry for the delay in replying, you forgot to CC me... On Tuesday 16 September 2008 22:12, Josselin Mouette [EMAIL PROTECTED] wrote: Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit : For a typical desktop system (such as my EeePC) a default installation of SE Linux in Lenny works for most things. What do you mean by most things? What is not working? The things that are not likely to be security problems will work well. If you add the packages from my repository (see the above URL) then mplayer also works in a default configuration. Mplayer? That’s one application. Do all applications that are part of the default setup work as expected? How many of them do not work without using an external repository? The problem with mplayer is that it depends on libraries written and packaged by people who are more concerned about a possible 15% performance increase than a proven security risk. There is a SE Linux boolean that you can set to enable execmod access, reduce the security of your system, and get a performance benefit for some operations. Is SELinux working out of the box? From your blog entries, I have the strong feeling that it is not the case. Why don't you test it? I've documented how to enable it, it's really not difficult. If the answer to this question is yes, what is the reason for not enabling it by default? I think that we should enable it by default as Fedora did years ago. But I think it's too late to do that now (and was too late on the 16th of Sep). -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Tue, Oct 07, 2008 at 06:38:12AM +1000, Russell Coker wrote: On Tuesday 16 September 2008 04:14, Bastian Blank [EMAIL PROTECTED] wrote: This cost me over one hour as bind lacks proper error messages in this code path. Has that bug in bind (inadequate error reporting) been fixed? Not according to my inbox. (#490371) Bastian -- Time is fluid ... like a river with currents, eddies, backwash. -- Spock, The City on the Edge of Forever, stardate 3134.0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Tuesday 16 September 2008 22:45, Julien Cristau [EMAIL PROTECTED] wrote: On Tue, Sep 16, 2008 at 14:12:13 +0200, Josselin Mouette wrote: Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit : For a typical desktop system (such as my EeePC) a default installation of SE Linux in Lenny works for most things. What do you mean by most things? What is not working? I just tried booting with selinux=1 on my laptop. I see errors from mpd related to /usr/lib/libtheora.so.0.3.3, On i386 architecture the Lenny package is built with text relocations, this reduces the security in all operations but can enable a performance increase in some situations. My Lenny SE Linux repository has packages to fix that. from xdm starting my X session, Were you running version 1:1.1.8-4? from sudo reading /etc/resolv.conf, from dmesg reading the system log, from ssh-add connecting to the ssh agent socket, What was the context of your shell? from dhclient3 reading /proc/net, creating a socket and doing anything with it, then some more errors from bind startup, postfix startup, Was Postfix configured not to chroot? mutt, gpgkeys_hkp (apparently it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73. Looks like it's not ready for prime time to me. Can you file bug reports with AVC messages? -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
This one time, at band camp, Manoj Srivastava said: On Tue, Sep 16 2008, Stephen Gran wrote: This is a sid install of the default policy in non-enforcing mode. I can't guarantee that every one of those complaints would have generated errors that matter, but it doesn't look like we're tuned for a normal install just yet. Well, seems like I reach a different conclusion: __ audit2allow ~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l 13 13 lines of policy to get it into enforcing mode, assuming all of these actions are safe to allow. --8---cut here---start-8--- snip --8---cut here---end---8--- So, pretty close. Why is logrotate looking into user home directories? there is the mount and /etc/mtab thingy, and ifconfig writing to ifstate, these should really be changed. I think dhcpd policy does need some loving. I would much rather we chased down these last outlier bits of policy, and let the local admin decide if they really want logrotate to look into every single user directory, or not (me, I would prefer to create a separate lable for log files in my home dir, but that is perhaps just me). I actually agree with you - I just don't think it's there yet. mtab and ifstate in particular seem like they will definitely disrupt normal operation, and quite likely the ntp and dhclient issues will prove to be a problem. The logrotate issue I haven't investigated - it may just be a mislabelled file for all I know (some system users have homes under /var, and I'm guessing something like that could have gone wrong). Cheers, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Should selinux be standard?
On Tue, Sep 16 2008, Julien Cristau wrote: I just tried booting with selinux=1 on my laptop. I see errors from mpd related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session, from sudo reading /etc/resolv.conf, from dmesg reading the system log, from ssh-add connecting to the ssh agent socket, from dhclient3 reading /proc/net, creating a socket and doing anything with it, then some more errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73. Looks like it's not ready for prime time to me. Firstly, what policy are you using? Has you machine been updated to actually compile/load the policy? (Like a number of packages, SELinux does need some configuration). Secondly, if you are indeed using selinux-policy-default, and have a properly labelled file system, and are still experiencing problems, have you filed a bug? At the very least, people who see avc denials on a properly configured machine should send me and russell a copy of their warning messages; this will help ensure that these bugs go away. Lastly, even running in permissive mode, since the policy is not yet perfect, if the volume of messages is reduced, leeping an eye on xconsole and the AVC messages is a useful indication of unusual activity on your machine. Yes, I call the permissinve mode AVC denial messages a useful feature, and audit2allow enables people to locally shut up spurious AVC messages so the real ones do not get lost in the forest, until the default policy is updated in response to the bug report filed. At this point, we are so close -- and I would rather go ahead and finish polishing off the remaining lacunae, than regress to not having SELinux at all. While we have not reached the level required for strict policy, I think we are close to having targeted policy work out of the box. The last bit of work to make it work for lenny can be done, especially if people help identify the problem areas. manoj -- Q: Are we not men? A: We are Vaxen. Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/~srivasta/ 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
Manoj Srivastava wrote: Firstly, what policy are you using? Has you machine been updated to actually compile/load the policy? (Like a number of packages, SELinux does need some configuration). I guess the argument could be made that a package that can't autoconfigure itself for some basic functionality doesn't belong in a standard install. -- Felipe Sateler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On 16/09/08 13:44, Holger Levsen wrote: On Tuesday 16 September 2008 13:40, Reinhard Tartler wrote: so an `ls -Z` does not work for you? It doesnt do anything useful here. I'm all for enabling selinux per default, but I think it should be done, when it works and such a change shouldnt be done so close before a release. The point is, that libselinux1 is installed everywhere, but not used/enabled on default. So whats the point in installing it everywhere? I can't see why you're complaining about libselinux1 - it's just a library, and has to be installed everywhere since e.g. coreutils, sysvinit are linked against it. Like many libraries, it is quite happy to sit there doing nothing. The question is about installing policycoreutils and selinux-refpolicy-default. Was anyone suggesting enabling selinux by default for lenny? That doesn't seem sensible at this stage in the release cycle. Given that, it probably makes sense to reduce the policy priority, but with the intention of raising it again after lenny is released and making SELinux enabled by default a release goal for squeeze. Best wishes, -- Martin Orr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Tue, Sep 16 2008, Julien Cristau wrote:
I just tried booting with selinux=1 on my laptop. I see errors from mpd
related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
from sudo reading /etc/resolv.conf, from dmesg reading the system log,
from ssh-add connecting to the ssh agent socket, from dhclient3 reading
/proc/net, creating a socket and doing anything with it, then some more
errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime
is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73.
Looks like it's not ready for prime time to me.
Hmm.
__ dpkg -l | egrep '^ii' | wc -l
4431
__ uptime
12:56:01 up 1:31, 2 users, load average: 0.46, 0.28, 0.20
__ audit2allow /var/log/messages | egrep -v '(^$)|(^#)' | wc -l
9
__ audit2allow /var/log/messages | egrep -v '(^$)|(^#)'
allow avahi_t httpd_t:dbus send_msg;
allow hald_t pcscd_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t system_dbusd_t:dbus send_msg;
allow insmod_t lib_t:file execute_no_trans;
allow mdadm_t device_t:blk_file { read ioctl };
allow mdadm_t file_t:dir search;
allow pcscd_t hald_t:dbus send_msg;
allow pcscd_t system_dbusd_t:dbus send_msg;
I have not tried to boot into enforcing mode, but I am not sure
which of these are actually needed, and which can safely be denied
anyway. So, 9 missing lines in policy, out of which 6 are about dbus.
Russell is probably way better than I to try to resolve these issues,
but I'll see what I can do to help.
I have apache2, I run emacs (an OS by itself), I run iceweasel
in a 32-bit chroot. I have modified udev to automagically mount my
ipod/rockbox.
I humbly posit that this is pretty close to working now (for my
development box, in default mode).
manoj
--
Go! And never darken my towels again! --Groucho Marx, Duck Soup.
Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/~srivasta/
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Tue, 2008-09-16 at 13:05 -0500, Manoj Srivastava wrote:
On Tue, Sep 16 2008, Julien Cristau wrote:
I just tried booting with selinux=1 on my laptop. I see errors from mpd
related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
from sudo reading /etc/resolv.conf, from dmesg reading the system log,
from ssh-add connecting to the ssh agent socket, from dhclient3 reading
/proc/net, creating a socket and doing anything with it, then some more
errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
it's not allowed to connect to 11371/tcp, firefox, or gconfd-2. Uptime
is about 20 minutes, and dmesg|grep -c 'avc: denied' returns 73.
Looks like it's not ready for prime time to me.
Hmm.
My own laptop, installed 2007-02.
$dpkg -l | egrep '^ii' | wc -l
1964
$uptime
21:07:07 up 3 days, 9 min, 9 users, load average: 0.40, 0.19, 0.23
$cat /var/log/messages{,.0,.1} |audit2allow | egrep -v '(^$)|(^#)'|wc -l
46
Not so bad for an old laptop, with many non-standard settings, and
probably some file that are improperly tagged.
$cat /var/log/messages{,.0,.1} | audit2allow | egrep -v '(^$)|(^#)'
allow avahi_t httpd_t:dbus send_msg;
allow crond_t file_t:file { read getattr };
allow cupsd_t dhcpc_var_run_t:file { read getattr };
allow dhcpc_t avahi_var_run_t:dir { write remove_name search getattr add_name };
allow dhcpc_t avahi_var_run_t:file { write rename create unlink getattr };
allow dhcpc_t etc_t:file { execute execute_no_trans };
allow dhcpc_t lib_t:file execute_no_trans;
allow gpm_t self:process signull;
allow hald_t apm_bios_t:chr_file { read ioctl };
allow hald_t self:capability ipc_lock;
allow hald_t self:dir mounton;
allow hald_t self:process setrlimit;
allow hald_t tmpfs_t:blk_file { read write create };
allow hald_t tmpfs_t:dir { write add_name };
allow hald_t tmpfs_t:filesystem { mount unmount };
allow hald_t xdm_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t dhcpc_var_run_t:file { read getattr };
allow httpd_t httpd_modules_t:lnk_file read;
allow httpd_t system_dbusd_t:dbus send_msg;
allow httpd_t system_dbusd_t:unix_stream_socket connectto;
allow httpd_t system_dbusd_var_run_t:dir search;
allow httpd_t system_dbusd_var_run_t:sock_file write;
allow httpd_t usr_t:file { execute execute_no_trans };
allow httpd_t var_lib_t:dir { create rmdir };
allow httpd_t var_lib_t:file { write append setattr };
allow httpd_t var_t:dir read;
allow httpd_t var_t:file { read getattr ioctl };
allow httpd_t var_t:lnk_file read;
allow inetd_t var_lib_t:dir search;
allow insmod_t device_t:dir { write add_name };
allow insmod_t lib_t:file execute_no_trans;
allow insmod_t self:capability mknod;
allow ldconfig_t usr_t:file read;
allow logrotate_t unconfined_home_dir_t:dir search;
allow mount_t dosfs_t:dir search;
allow mount_t etc_t:file { write append };
allow rpcd_t proc_net_t:lnk_file read;
allow system_dbusd_t inotifyfs_t:dir read;
allow udev_t etc_runtime_t:file { unlink append };
allow udev_t usr_t:file execute;
allow udev_t var_log_t:file read;
allow unconfined_t lib_t:file execmod;
allow unconfined_t self:process { execstack execmem };
allow vbetool_t console_device_t:chr_file { read write };
allow xdm_t hald_t:dbus send_msg;
I have not tried to boot into enforcing mode, but I am not sure
which of these are actually needed, and which can safely be denied
anyway.
me neither.
So, 9 missing lines in policy, out of which 6 are about dbus.
Russell is probably way better than I to try to resolve these issues,
but I'll see what I can do to help.
The entries related to apache are probably either related to my own
specific settings, or related to libapache2-mod-dnssd.
Most of the httpd entries are probably specific for my configuration.
Franklin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
This one time, at band camp, Josselin Mouette said:
Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit :
For a typical desktop system (such as my EeePC) a default installation of
SE
Linux in Lenny works for most things.
What do you mean by most things? What is not working?
Sep 15 22:04:17 spartacus kernel: [ 17.148409] type=1400
audit(1221512644.263:3): avc: denied { execute_no_trans } for pid=1497
comm=sh path=/lib/alsa/modprobe-post-install dev=hda1 ino=133937
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [ 24.378414] type=1400
audit(1221512651.107:4): avc: denied { unlink } for pid=2141 comm=mount
name=blkid.tab.old dev=hda1 ino=472430 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [ 26.578258] type=1400
audit(1221512653.313:5): avc: denied { append } for pid=1215 comm=ifup
name=ifstate dev=hda1 ino=472430
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [ 26.884443] type=1400
audit(1221512653.621:6): avc: denied { unlink } for pid=1755 comm=ifup
name=ifstate dev=hda1 ino=472430
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [ 27.648008] SELinux: initialized (dev
rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Sep 15 22:04:30 spartacus kernel: [ 43.593733] type=1400
audit(1221512670.315:8): avc: denied { search } for pid=3230 comm=ntpd
name=/ dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [ 43.617789] type=1400
audit(1221512670.352:9): avc: denied { write } for pid=3230 comm=ntpd
name=/ dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [ 43.641627] type=1400
audit(1221512670.376:10): avc: denied { add_name } for pid=3230 comm=ntpd
name=ntpGXDttA scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [ 104.500825] type=1400
audit(1221512731.235:16): avc: denied { search } for pid=3724
comm=dhclient-script name=/ dev=tmpfs ino=8681
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=dir
Sep 15 22:05:31 spartacus kernel: [ 104.500865] type=1400
audit(1221512731.235:17): avc: denied { write } for pid=3724
comm=dhclient-script name=/ dev=tmpfs ino=8681
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=dir
Sep 15 22:05:31 spartacus kernel: [ 104.500897] type=1400
audit(1221512731.235:18): avc: denied { add_name } for pid=3724
comm=dhclient-script name=dhclient-script.debug
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=dir
Sep 15 22:05:31 spartacus kernel: [ 104.500953] type=1400
audit(1221512731.235:19): avc: denied { create } for pid=3724
comm=dhclient-script name=dhclient-script.debug
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file
Sep 15 22:05:31 spartacus kernel: [ 104.501021] type=1400
audit(1221512731.235:20): avc: denied { append } for pid=3724
comm=dhclient-script name=dhclient-script.debug dev=tmpfs ino=12040
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file
Sep 15 22:05:31 spartacus kernel: [ 104.505653] type=1400
audit(1221512731.239:21): avc: denied { getattr } for pid=3728 comm=env
path=/tmp/dhclient-script.debug dev=tmpfs ino=12040
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file
Sep 15 22:05:36 spartacus kernel: [ 109.527213] type=1400
audit(1221512736.259:22): avc: denied { read } for pid=3772
comm=start-stop-daem name=ntpd.pid dev=hda3 ino=239075
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [ 109.527300] type=1400
audit(1221512736.259:23): avc: denied { getattr } for pid=3772
comm=start-stop-daem path=/var/run/ntpd.pid dev=hda3 ino=239075
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [ 109.527402] type=1400
audit(1221512736.259:24): avc: denied { kill } for pid=3772
comm=start-stop-daem capability=5 scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
Sep 15 22:05:36 spartacus kernel: [ 109.527470] type=1400
audit(1221512736.259:25): avc: denied { signal } for pid=3772
comm=start-stop-daem scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:system_r:ntpd_t:s0 tclass=process
Sep 15 22:05:36 spartacus kernel: [ 109.531109]
Re: Should selinux be standard?
Le mardi 16 septembre 2008 à 13:05 -0500, Manoj Srivastava a écrit :
allow avahi_t httpd_t:dbus send_msg;
allow hald_t pcscd_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t system_dbusd_t:dbus send_msg;
allow insmod_t lib_t:file execute_no_trans;
allow mdadm_t device_t:blk_file { read ioctl };
allow mdadm_t file_t:dir search;
allow pcscd_t hald_t:dbus send_msg;
allow pcscd_t system_dbusd_t:dbus send_msg;
I have not tried to boot into enforcing mode, but I am not sure
which of these are actually needed, and which can safely be denied
anyway.
If any of these are useless, why don’t you file corresponding bugs?
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`-our own. Resistance is futile.
signature.asc
Description: Ceci est une partie de message numériquement signée
Re: Should selinux be standard?
On Tue, Sep 16 2008, Stephen Gran wrote:
This is a sid install of the default policy in non-enforcing mode. I
can't guarantee that every one of those complaints would have
generated errors that matter, but it doesn't look like we're tuned for
a normal install just yet.
Well, seems like I reach a different conclusion:
__ audit2allow ~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
13
13 lines of policy to get it into enforcing mode, assuming all
of these actions are safe to allow.
--8---cut here---start-8---
allow dhcpc_t ntpd_t:process signal;
allow dhcpc_t ntpd_var_run_t:file { read getattr unlink };
allow dhcpc_t self:capability kill;
allow dhcpc_t tmpfs_t:dir { write search add_name };
allow dhcpc_t tmpfs_t:file { create getattr append };
allow fsadm_t apmd_t:fd use;
allow insmod_t apmd_t:unix_stream_socket { read write };
allow insmod_t lib_t:file execute_no_trans;
allow logrotate_t unconfined_home_dir_t:dir search;
allow mount_t etc_t:file unlink;
allow ntpd_t tmpfs_t:dir { write search add_name };
allow udev_t etc_runtime_t:file { unlink append };
allow unconfined_t self:process { execstack execmem };
--8---cut here---end---8---
So, pretty close. Why is logrotate looking into user home
directories? there is the mount and /etc/mtab thingy, and ifconfig
writing to ifstate, these should really be changed.
I think dhcpd policy does need some loving.
I would much rather we chased down these last outlier bits of
policy, and let the local admin decide if they really want logrotate to
look into every single user directory, or not (me, I would prefer to
create a separate lable for log files in my home dir, but that is
perhaps just me).
manoj
--
The lesser of two evils -- is evil. Seymour (Sy) Leon
Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/~srivasta/
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
Manoj Srivastava wrote: On Mon, Sep 15 2008, Raphael Geissert wrote: Bastian Blank wrote: On Mon, Sep 15, 2008 at 06:12:03PM +0200, Josselin Mouette wrote: Le lundi 15 septembre 2008 à 10:12 -0500, Manoj Srivastava a écrit : Agreed. Either SELinux is suitable with our default setup and we should enable it by default to get all its alleged benefits, or it is not, and we should simply not install it. Since the new default policy seems to be working in targeted mode, I think we are doing fine. Fine. Then let’s enable it by default. Oh yeah. Do you intend to do the support? If it is not very functional by default, or it is but nobody is willing to support it, then it shouldn't be standard; that's the main point. If it is not functional, there should be bugs filed, no? There should and will, but only if it used. I haven't had neither time nor interest to read the docs to correctly setup SELinux. So, the several packages which are installed by default, because of priority: standard, are completely useless. manoj Cheers, Raphael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Tue, Sep 16 2008, Raphael Geissert wrote: There should and will, but only if it used. I haven't had neither time nor interest to read the docs to correctly setup SELinux. So, the several packages which are installed by default, because of priority: standard, are completely useless. Packages that are useless to some people are not a very interesting set, since I can see some people having no use for some ogf the packages below. Package: telnet Package: exim4-config Package: cpp-4.1 Package: g++-4.1 Package: libdns22 Package: python-minimal Package: console-tools Package: vim-common Package: whiptail Package: python Package: console-data Package: file Package: gcc-4.1 Indeed, the question is not about utility for everyone, but the selection of a set of characteristics for the operating system we are creating, such that they prove to be of utility to a larger set of people. I think, in this day and age, mandatory security should have a low barrier of entry -- so something that is available, installed, and just needs minor configuration to enable is better than not having it around. And that means not disabling the patches that more and more upstreams are incorporating. I think we are have a low enough avc denial rates that unconfined/permissive already provides value. We are pretty close to achieving unconfined/enforcing fo Lenny, and with help from people I think we can be there. strict/permissive and strinct/enforcing should be doable for squeeze. manoj -- The ends justify the means. after Matthew Prior Manoj Srivastava [EMAIL PROTECTED] http://www.debian.org/~srivasta/ 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Sunday 14 September 2008, Martin Michlmayr wrote: I'd like to ask whether selinux should really be installed by default. On the Linksys NSLU2, a very popular device with only 32 MB of RAM, installing selinux-policy-default takes at least half an hour (with heavy swapping) or possibly even more. This is a major regression from the installer experience of etch. A bug about this problem was filed about 3 weeks ago (#495786) but there was no response from the maintainer at all. Is selinux actually used much in Debian and should it be standard? -- Martin Michlmayr http://www.cyrius.com/ Did I not read about a slimmed down selinux like function that had been added to the kernel recently specifically for embedded systems. I would have throught that this would be more relevant to the NSLU2. David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
Martin Michlmayr wrote: I'd like to ask whether selinux should really be installed by default. On the Linksys NSLU2, a very popular device with only 32 MB of RAM, installing selinux-policy-default takes at least half an hour (with heavy swapping) or possibly even more. This is a major regression from the installer experience of etch. A bug about this problem was filed about 3 weeks ago (#495786) but there was no response from the maintainer at all. Although I agree with your basic question, I do wonder how it can be a regression from Etch as selinux was also priority standard for Etch. It was my impression that selinux installation had become faster recently after Russell reworked the packaging, at least on x86. The reason it was made priority standard not long before the release of Etch was because Manoj wanted to see if having it installed by default would promote more general adoption and actual use of SeLinux. Unfortunately the actual thing that happened was that SeLinux has essentially been unmaintained for most of Lenny's development cycle, that the promised support was completely absent. SeLinux packaging has only very recently been revived when Russell stepped in (with major improvements from what I've seen). I think Etch has shown that merely having SeLinux standard does _not_ promote its wider use. I would also argue that people who actually want to use SeLinux will also know how to install it afterwards. I also feel that SeLinux is not sufficiently tuned for Debian. I don't know what the exact current status is and what has changed since Russell stepped in, but when I tried it last year a lot of additional tuning was needed to get for example normal package upgrades to run cleanly. And finally, I too have frequently been annoyed at the taken by SeLinux installation during installation tests. Especially on slower hardware or in emulators it can be quite painful. For those reasons I support the suggestion to change the priority of SeLinux back to optional. We can always discuss returning it to priority standard if/when SeLinux is really ready to be not only installed by default, but also activated by default. And even then I can see it being implemented as a secure system task in tasksel or as a separate debconf question during installation rather than by raising priority to standard. Note that I did bring up this question earlier, at that point primarily because of its maintenance status [1]. Cheers, FJP [1] http://lists.debian.org/debian-devel/2008/02/msg00223.html signature.asc Description: This is a digitally signed message part.
Re: Should selinux be standard?
On Sunday 14 September 2008 19:08, Martin Michlmayr [EMAIL PROTECTED] wrote: I'd like to ask whether selinux should really be installed by default. On the Linksys NSLU2, a very popular device with only 32 MB of RAM, installing selinux-policy-default takes at least half an hour (with heavy swapping) or possibly even more. This is a major regression from the installer experience of etch. A bug about this problem was filed about 3 weeks ago (#495786) but there was no response from the maintainer at all. I have made enquiries upstream and there are some suggestions as to how to alleviate this issue (most of which can't be done in Lenny). There may be some minor things I can do to alleviate the problem. One change that I have made which will go into the next version is to only have a single run of semodule. This drops the configure time on an AMD64 system with 64M of RAM from 7m0.876s to 6m40.407s. It's only a 5% benefit, but still worth having. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Should selinux be standard?
On Sunday 14 September 2008 20:40, Frans Pop [EMAIL PROTECTED] wrote: Although I agree with your basic question, I do wonder how it can be a regression from Etch as selinux was also priority standard for Etch. It was my impression that selinux installation had become faster recently after Russell reworked the packaging, at least on x86. I changed the postinst such that instead of running semodule ~24 times it would run it twice. The next version of the policy packages will run it once (for an incremental benefit - nothing like the benefit of going from ~24 to 2). The reason it was made priority standard not long before the release of Etch was because Manoj wanted to see if having it installed by default would promote more general adoption and actual use of SeLinux. Unfortunately the actual thing that happened was that SeLinux has essentially been unmaintained for most of Lenny's development cycle, that the promised support was completely absent. SeLinux packaging has only very recently been revived when Russell stepped in (with major improvements from what I've seen). Now Manoj is actively working on it too. Things are starting to work pretty well. http://doc.coker.com.au/computers/installing-se-linux-on-lenny/ For a typical desktop system (such as my EeePC) a default installation of SE Linux in Lenny works for most things. If you add the packages from my repository (see the above URL) then mplayer also works in a default configuration. I also feel that SeLinux is not sufficiently tuned for Debian. I don't know what the exact current status is and what has changed since Russell stepped in, but when I tried it last year a lot of additional tuning was needed to get for example normal package upgrades to run cleanly. Things have changed a lot since then. Please try installing SE Linux now and you will find everything a lot easier. And finally, I too have frequently been annoyed at the taken by SeLinux installation during installation tests. Especially on slower hardware or in emulators it can be quite painful. http://www.fedorafaq.org/ Pages such as the above document that you can pass selinux=0 as a parameter to the Fedora installation kernel to not have SE Linux enabled. Would it be possible to have the Debian installer look for selinux=0 on the kernel command-line and then not install the SE Linux packages? For those reasons I support the suggestion to change the priority of SeLinux back to optional. We can always discuss returning it to priority standard if/when SeLinux is really ready to be not only installed by default, but also activated by default. And even then I can see it being implemented as a secure system task in tasksel or as a separate debconf question during installation rather than by raising priority to standard. Note that I did bring up this question earlier, at that point primarily because of its maintenance status [1]. Yes, unfortunately I had been lacking time to work on it for a while. Now I've got more time and things are working well. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
