| 1 |
i'm forwarding this from the selinux list because it outlines some concerns that
|
| 2 |
we'll need to keep in mind while putting this together
|
| 3 |
|
| 4 |
you should all probably be on that list selinux@×××××××××.gov
|
| 5 |
maybe the LSM list also, i'm not on that yet but i'm going
|
| 6 |
to join it
|
| 7 |
|
| 8 |
we have a couple people doing some good work with selinux on
|
| 9 |
gentoo, but one of the major obstacles is making the selinux-small
|
| 10 |
package autoconf'ized. If anyone here has any experience with
|
| 11 |
autoconf you'd be a tremendous help to look at that package and
|
| 12 |
fix it with autoconf so it's more usable in gentoo. If someone knows
|
| 13 |
how do to this or can tell me how to do it that would be great. Thanks
|
| 14 |
everyone
|
| 15 |
|
| 16 |
Joshua Brindle
|
| 17 |
|
| 18 |
>>> Russell Coker <russell@×××××××××.au> 03/13/03 03:12PM >>> |
| 19 |
Re-sent because of list problems:
|
| 20 |
|
| 21 |
On Tue, 11 Mar 2003 04:18, Daniel Carrera wrote:
|
| 22 |
> If you don't mind elaborating on your questions offlist, I'd love to hear |
| 23 |
> any SELinux advocacy you can offer (maybe you can just cc the list). |
| 24 |
|
| 25 |
SE Linux is well written with very clean code. This is really good if you
|
| 26 |
want to use it in teching projects or if you want to just study the way the
|
| 27 |
code works.
|
| 28 |
|
| 29 |
SE Linux is driving LSM to a large extent. Do a web search for LSM
|
| 30 |
discussions on mailing lists and you'll see that Steve is prominantly
|
| 31 |
involved.
|
| 32 |
|
| 33 |
> > The transition between 2.4.x kernels and 2.6.x will probably be painful |
| 34 |
> > for SE Linux users. But most of the problems concern system calls and |
| 35 |
> > will hit LIDS and DTE just as badly. |
| 36 |
> |
| 37 |
> Will there be a delay before SELinux is ported to the 2.6 kernel? |
| 38 |
|
| 39 |
It's already ported to 2.5.x. However the system calls have to change and
|
| 40 |
there's a lot of debate and code re-write going on in this regard. The plan
|
| 41 |
is for 2.6.0 to have the full LSM interface. The NSA people want to have SE
|
| 42 |
Linux included in 2.6.0, although even if that doesn't happen the result will
|
| 43 |
be the same for SE users - once LSM is in it's easy to apply the SE patch
|
| 44 |
without conflicts.
|
| 45 |
|
| 46 |
> > DTE has similar concepts and aims to SE Linux (I don't want to say more |
| 47 |
> > on this list). |
| 48 |
> |
| 49 |
> I'd love to hear anything more you can tell me. |
| 50 |
|
| 51 |
I think that's already been addressed on the LSM list in a better way than I
|
| 52 |
could.
|
| 53 |
|
| 54 |
> > POSIX capabilities are very limited, and as far as I understand it this |
| 55 |
> > is the same as what you get in a standard Linux kernel, it's only a |
| 56 |
> > separate module for the LSM patch (someone please correct me if I am |
| 57 |
> > wrong). |
| 58 |
> |
| 59 |
> Does SELinux provide an equivalent of POSIX capabilities? |
| 60 |
> i.e. Does POSIX capabilities map to a proper subset of SELinux? |
| 61 |
|
| 62 |
SE Linux supports all POSIX capability functionality. However they are
|
| 63 |
subject to the MAC restrictions of SE Linux policy. So an application (such
|
| 64 |
as BIND 9.x) can use POSIX capability system calls to drop capabilities it
|
| 65 |
doesn't need (or doesn't need any more). But SE Linux determines which
|
| 66 |
capabilties it can use.
|
| 67 |
|
| 68 |
|
| 69 |
SE Linux is getting good support and interest from many areas. There are
|
| 70 |
active developers in several countries and there are many administrators who
|
| 71 |
are getting involved in training and plan to do SE consulting work.
|
| 72 |
|
| 73 |
SE Linux is still undergoing rapid change, but after 2.6.0 is released that
|
| 74 |
should all be finished.
|
| 75 |
|
| 76 |
|
| 77 |
I expect that SE Linux will really take off this year.
|
| 78 |
|
| 79 |
--
|
| 80 |
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
|
| 81 |
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
|
| 82 |
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
|
| 83 |
http://www.coker.com.au/~russell/ My home page
|
| 84 |
|
| 85 |
|
| 86 |
--
|
| 87 |
This message was distributed to subscribers of the selinux mailing list.
|
| 88 |
If you no longer wish to subscribe, send mail to majordomo@×××××××××.gov with
|
| 89 |
the words "unsubscribe selinux" without quotes as the message. |
Archives