| 1 |
On Thu, 2003-09-18 at 09:24, Peter Simons wrote: |
| 2 |
> just curious: How closely does the Gentoo policy resemble the one from |
| 3 |
> Russel Coker? I'm asking because his policy is becoming the de facto |
| 4 |
> standard, as it appears, and most of the interesting developments are |
| 5 |
> in his distribution first of all. (Moments ago I read about his effort |
| 6 |
> to secure the ssh daemon so that remote exploits will not gain you |
| 7 |
> real privileges on the machine!) |
| 8 |
|
| 9 |
Pretty hard to tell how similar the policies are. If you did a diff |
| 10 |
between the policies, you'd probably come up with hundreds if not |
| 11 |
thousands of changes. Generally, they're very similar. |
| 12 |
|
| 13 |
Russell has done the Debian policy for a long time and has extensive |
| 14 |
policy experience. He is also now employed by Red Hat to do SELinux |
| 15 |
stuff. So, he's got his professional and personal time to do all sorts |
| 16 |
of policy stuff. Since he has his hands in both of these policies, its |
| 17 |
easy to see that his policy would be like de facto. |
| 18 |
|
| 19 |
> How quickly do changes like this in his policy make it into the Gentoo |
| 20 |
> policy? How difficult is it for the user (me) to import such changes |
| 21 |
> myself? Have the Gentoo policy sources, generally speaking, changed |
| 22 |
> much compared to his? |
| 23 |
|
| 24 |
I don't look through his policy to try to find things. Russell is |
| 25 |
pretty active in trying to get important changes into the NSA example |
| 26 |
policy. I usually take these patches when appropriate. Depending on |
| 27 |
the complexity of the change, it probably isn't advisable to try to |
| 28 |
bring in his changes. If you attempt to incorporate changes from his |
| 29 |
policy into yours, I suggest backing up your policy. If you don't |
| 30 |
understand the possible side effects of the change, you could compromise |
| 31 |
or just plain break your policy. |
| 32 |
|
| 33 |
The Gentoo policy is based on the NSA example policy, but diverges from |
| 34 |
the NSA policy in some areas. For example, the improved proc |
| 35 |
restrictions are only in Gentoo policy right now. The Gentoo policy |
| 36 |
also has a unified syslogd policy rather than separate syslog and klog, |
| 37 |
to make syslog-ng and metalog work. I've also started adding other |
| 38 |
arch-specifics to the Gentoo policy (these are mainly file context |
| 39 |
additions). I have a PPC machine running a 2.6 kernel in enforcing (you |
| 40 |
might have noticed the creation of the SELinux PPC profile). |
| 41 |
|
| 42 |
-- |
| 43 |
Chris PeBenito |
| 44 |
<pebenito@g.o> |
| 45 |
Developer, SELinux |
| 46 |
Hardened Gentoo Linux |
| 47 |
|
| 48 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 49 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives