1 |
i'm forwarding this from the selinux list because it outlines some concerns that
|
2 |
we'll need to keep in mind while putting this together
|
3 |
|
4 |
you should all probably be on that list selinux@×××××××××.gov
|
5 |
maybe the LSM list also, i'm not on that yet but i'm going
|
6 |
to join it
|
7 |
|
8 |
we have a couple people doing some good work with selinux on
|
9 |
gentoo, but one of the major obstacles is making the selinux-small
|
10 |
package autoconf'ized. If anyone here has any experience with
|
11 |
autoconf you'd be a tremendous help to look at that package and
|
12 |
fix it with autoconf so it's more usable in gentoo. If someone knows
|
13 |
how do to this or can tell me how to do it that would be great. Thanks
|
14 |
everyone
|
15 |
|
16 |
Joshua Brindle
|
17 |
|
18 |
>>> Russell Coker <russell@×××××××××.au> 03/13/03 03:12PM >>> |
19 |
Re-sent because of list problems:
|
20 |
|
21 |
On Tue, 11 Mar 2003 04:18, Daniel Carrera wrote:
|
22 |
> If you don't mind elaborating on your questions offlist, I'd love to hear |
23 |
> any SELinux advocacy you can offer (maybe you can just cc the list). |
24 |
|
25 |
SE Linux is well written with very clean code. This is really good if you
|
26 |
want to use it in teching projects or if you want to just study the way the
|
27 |
code works.
|
28 |
|
29 |
SE Linux is driving LSM to a large extent. Do a web search for LSM
|
30 |
discussions on mailing lists and you'll see that Steve is prominantly
|
31 |
involved.
|
32 |
|
33 |
> > The transition between 2.4.x kernels and 2.6.x will probably be painful |
34 |
> > for SE Linux users. But most of the problems concern system calls and |
35 |
> > will hit LIDS and DTE just as badly. |
36 |
> |
37 |
> Will there be a delay before SELinux is ported to the 2.6 kernel? |
38 |
|
39 |
It's already ported to 2.5.x. However the system calls have to change and
|
40 |
there's a lot of debate and code re-write going on in this regard. The plan
|
41 |
is for 2.6.0 to have the full LSM interface. The NSA people want to have SE
|
42 |
Linux included in 2.6.0, although even if that doesn't happen the result will
|
43 |
be the same for SE users - once LSM is in it's easy to apply the SE patch
|
44 |
without conflicts.
|
45 |
|
46 |
> > DTE has similar concepts and aims to SE Linux (I don't want to say more |
47 |
> > on this list). |
48 |
> |
49 |
> I'd love to hear anything more you can tell me. |
50 |
|
51 |
I think that's already been addressed on the LSM list in a better way than I
|
52 |
could.
|
53 |
|
54 |
> > POSIX capabilities are very limited, and as far as I understand it this |
55 |
> > is the same as what you get in a standard Linux kernel, it's only a |
56 |
> > separate module for the LSM patch (someone please correct me if I am |
57 |
> > wrong). |
58 |
> |
59 |
> Does SELinux provide an equivalent of POSIX capabilities? |
60 |
> i.e. Does POSIX capabilities map to a proper subset of SELinux? |
61 |
|
62 |
SE Linux supports all POSIX capability functionality. However they are
|
63 |
subject to the MAC restrictions of SE Linux policy. So an application (such
|
64 |
as BIND 9.x) can use POSIX capability system calls to drop capabilities it
|
65 |
doesn't need (or doesn't need any more). But SE Linux determines which
|
66 |
capabilties it can use.
|
67 |
|
68 |
|
69 |
SE Linux is getting good support and interest from many areas. There are
|
70 |
active developers in several countries and there are many administrators who
|
71 |
are getting involved in training and plan to do SE consulting work.
|
72 |
|
73 |
SE Linux is still undergoing rapid change, but after 2.6.0 is released that
|
74 |
should all be finished.
|
75 |
|
76 |
|
77 |
I expect that SE Linux will really take off this year.
|
78 |
|
79 |
--
|
80 |
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
|
81 |
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
|
82 |
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
|
83 |
http://www.coker.com.au/~russell/ My home page
|
84 |
|
85 |
|
86 |
--
|
87 |
This message was distributed to subscribers of the selinux mailing list.
|
88 |
If you no longer wish to subscribe, send mail to majordomo@×××××××××.gov with
|
89 |
the words "unsubscribe selinux" without quotes as the message. |