1 |
On Thu, 2003-09-18 at 09:24, Peter Simons wrote: |
2 |
> just curious: How closely does the Gentoo policy resemble the one from |
3 |
> Russel Coker? I'm asking because his policy is becoming the de facto |
4 |
> standard, as it appears, and most of the interesting developments are |
5 |
> in his distribution first of all. (Moments ago I read about his effort |
6 |
> to secure the ssh daemon so that remote exploits will not gain you |
7 |
> real privileges on the machine!) |
8 |
|
9 |
Pretty hard to tell how similar the policies are. If you did a diff |
10 |
between the policies, you'd probably come up with hundreds if not |
11 |
thousands of changes. Generally, they're very similar. |
12 |
|
13 |
Russell has done the Debian policy for a long time and has extensive |
14 |
policy experience. He is also now employed by Red Hat to do SELinux |
15 |
stuff. So, he's got his professional and personal time to do all sorts |
16 |
of policy stuff. Since he has his hands in both of these policies, its |
17 |
easy to see that his policy would be like de facto. |
18 |
|
19 |
> How quickly do changes like this in his policy make it into the Gentoo |
20 |
> policy? How difficult is it for the user (me) to import such changes |
21 |
> myself? Have the Gentoo policy sources, generally speaking, changed |
22 |
> much compared to his? |
23 |
|
24 |
I don't look through his policy to try to find things. Russell is |
25 |
pretty active in trying to get important changes into the NSA example |
26 |
policy. I usually take these patches when appropriate. Depending on |
27 |
the complexity of the change, it probably isn't advisable to try to |
28 |
bring in his changes. If you attempt to incorporate changes from his |
29 |
policy into yours, I suggest backing up your policy. If you don't |
30 |
understand the possible side effects of the change, you could compromise |
31 |
or just plain break your policy. |
32 |
|
33 |
The Gentoo policy is based on the NSA example policy, but diverges from |
34 |
the NSA policy in some areas. For example, the improved proc |
35 |
restrictions are only in Gentoo policy right now. The Gentoo policy |
36 |
also has a unified syslogd policy rather than separate syslog and klog, |
37 |
to make syslog-ng and metalog work. I've also started adding other |
38 |
arch-specifics to the Gentoo policy (these are mainly file context |
39 |
additions). I have a PPC machine running a 2.6 kernel in enforcing (you |
40 |
might have noticed the creation of the SELinux PPC profile). |
41 |
|
42 |
-- |
43 |
Chris PeBenito |
44 |
<pebenito@g.o> |
45 |
Developer, SELinux |
46 |
Hardened Gentoo Linux |
47 |
|
48 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
49 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |