subject:"Re\: SELinux"

Re: SELinux

2005-09-26 Thread Archaic

On Mon, Sep 26, 2005 at 07:20:52PM -0500, Randy McMurchy wrote:
> 
> Is SELinux something I should be listing as a dependency for the
> D-BUS and HAL packages?

Not unless you want an absolute flurry of support questions. SELinux
will completely change the security model of an LFS system.

> Anyone care to enlighten me on what exactly the benefits of using
> SELinux are?

Highly advanced access control. HLFS uses a competing method from
grsecurity. http://www.grsecurity.net/

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Randy McMurchy

Archaic wrote these words on 09/26/05 19:27 CST:

> Not unless you want an absolute flurry of support questions. SELinux
> will completely change the security model of an LFS system.

The reason I asked about this is because I like being technically
accurate, however, I'm not knowledgeable enough about SELinux to
determine if one can *convert* his LFS system into a SELinux-enabled
system, or if one must *build* the system using the SELinux patches
to the various core LFS packages.

If the latter, then I don't have a problem with not mentioning
SELinux as a dependency. If the former, I'm negligent by not
mentioning it.

Can you help me determine which it is?

-- 
Randy

rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3]
[GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686]
19:32:00 up 2 days, 3:56, 3 users, load average: 0.00, 0.09, 0.33
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Archaic

On Mon, Sep 26, 2005 at 07:36:13PM -0500, Randy McMurchy wrote:
> 
> Can you help me determine which it is?

A fundamental change at the base system level would have to occur. Just
throwing selinux into the kernel of an existing system will not work. A
total system recompile with many non-LFS patches would be required.

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Randy McMurchy

Archaic wrote these words on 09/26/05 19:37 CST:

> A fundamental change at the base system level would have to occur. Just
> throwing selinux into the kernel of an existing system will not work. A
> total system recompile with many non-LFS patches would be required.

I will interpret this as something you cannot add to a base LFS
system, thus, I don't need to list it as a dependency.

Thanks for your help, dude.

-- 
Randy

rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3]
[GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686]
19:44:01 up 2 days, 4:08, 3 users, load average: 0.00, 0.03, 0.16
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Archaic

On Mon, Sep 26, 2005 at 07:45:28PM -0500, Randy McMurchy wrote:
> 
> I will interpret this as something you cannot add to a base LFS
> system, thus, I don't need to list it as a dependency.

Correct interpretation.

> Thanks for your help, dude.

NP. :)

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Bruce Dubbs

Randy McMurchy wrote:
> Hi all,
> 
> Both D-BUS and HAL look for a SELinux-enabled system. I have no
> clue about SELinux, as I've never looked into it. Best I can tell
> you must patch the kernel sources with the NSA SELinux patches,
> then install some userland tools to use the SELinux-patched kernel.

You don't need to patch the kernel any more.  It is there.  From `make
xconfig`:

NSA SELinux Support (SECURITY_SELINUX)

This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
You can obtain the policy compiler (checkpolicy), the utility for
labeling filesystems (setfiles), and an example policy configuration
from .
If you are unsure how to answer this question, answer N.

I don't think we should address SELinux at all in BLFS.  If it is
mentioned at all it should be in HLFS.

  -- Bruce
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Randy McMurchy

Bruce Dubbs wrote these words on 09/26/05 21:57 CST:

> You don't need to patch the kernel any more.  It is there.  From `make
> xconfig`:
> 
> NSA SELinux Support (SECURITY_SELINUX)

My earlier point is the NSA provides *patches* to the kernel source.
The current NSA patch is for the 2.6.13 kernel sources. Though the
current 2.6.13.2 kernel sources are more recently dated than the
NSA 2.6.13 patch, reading the NSA web site indicates they provide
patches for the current kernel sources. And they advise you to
apply these patches.

I fully realize that SELinux is now part of the Linux kernel, but
it is my understanding that the NSA provides updates that are not
included in the current kernel sources, hence, the patches.

-- 
Randy

rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3]
[GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686]
22:07:00 up 2 days, 6:31, 3 users, load average: 1.22, 0.89, 0.45
-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

2005-09-26 Thread Archaic

On Mon, Sep 26, 2005 at 09:57:03PM -0500, Bruce Dubbs wrote:
> 
> You will also need a policy configuration and a labeled filesystem.

And a rebuilt glibc, and a rebuilt coreutils (with patches), and other
rebuilt LFS programs for this to do any good.

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: SELinux

Re: SELinux

Re: SELinux

Re: SELinux

Re: SELinux

Re: SELinux

Re: SELinux

Re: SELinux

8 matches

Site Navigation

Mail list logo

Footer information