On Mon, 1 Dec 2003 04:27, Andreas Barth <[EMAIL PROTECTED]> wrote: > Is it possible for me as a package maintainer to specifiy the needed > rights for "my" programms in a way that as much systems as possible > can use these without the need for a sysadmin to change anything? Or > would each LSM-based system need it's own configuration? And if so, > which should be supported by a package, and how?
There will be support in RPM for packages that contain SE Linux policy. For Debian such support will come later (if at all) as the plan is to centrally manage all policy for free software, and it's not difficult to apply custom policy for non-free software. There are patches for cron, xdm type programs, procps, psmisc, pam, and logrotate for SE Linux which will hopefully get accepted into Debian packages soon. > What I would even like more is a HOWTO "What a debian package > maintainer should do to support LSM-based security-systems properly" > (and this should become part of the Developers Reference). I'm willing > to create a template of such a HOWTO in parallel to adding support to > LSM to my packages, if I can; and this would mean that someone with > knowledge would be willing to guide me, and answer my (partly very > unknowing) questions about a lot of more or less simple things. The best thing at the moment is to do things that are good for security even on non-SE Linux machines. Don't have the daemon re-write it's own config files in /etc. Have a separate process to access password files and manipulate data from them. Don't copy files into a chroot for every invocation (Postfix is difficult because of this), or if you must copy such files around then make it easy to discover where it is to modify the process (Postfix startup scripts are difficult to understand and manage). Documentation on exactly what cron jobs do would be good too, as they are particularly painful to get right. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]