Re: Penalty of SELinux?

[Douglas A. Tutty]

On Thu, Sep 27, 2007 at 07:55:47PM +0200, Michelle Konzack wrote:
> Am 2007-09-23 11:14:57, schrieb Douglas A. Tutty:
> > On small systems, what about the penalty of just larger binaries?  I
> > have some older boxes with 16-64 MB ram.  
> > 
> > Doug.
> - END OF REPLIED MESSAGE -
> 
> Look at  to get FPM's for your old 486
> machines or faster EDO's for the Pentium 1.
> 
> I have 486 machines running too, but not a singel one has less
> then 64 MBytes...


The problem for me with ebay is that even with the CDN dollar at par
with the US, VISA still takes a conversion chunk to pay paypal in US
Dollars.  Even if the product is in Canada, the prices are in US dollars
and payment is in US dollars.  Then there's the shipping, plus if its
_not_ in Canada there's the Customs Brokerage fees even though NAFTA
applies and all they're taking is the Canadian sales taxes.  

By the time I pay for all that, I can buy a newer-used computer.  Then,
I've got to pay to have my old one recycled...

All because nobody has an up-to-date cc for older computers _and_ word
has it that modern coders rely more and more on the speed of modern
computers.  

If only Unix, Linux, and Debian were written in Fortran77.  Then I could
put OS/2 back on the 486 and run my trusy IBM Fortran77 compiler and
rebuild everything to work great on it.

Progres.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Chris Bannister]

On Sun, Sep 23, 2007 at 11:13:13AM -0400, Douglas A. Tutty wrote:
> Linux's target is the modern desktop and the focus is on keeping up with
> new hardware.  The BSDs keep the drivers for old hardware but patches
> require building and that building relies on gcc which isn't optimized
> for use on old systems.  
> 
> So I'll keep looking.

Ah what about embedded Debian? ulibc etc. Have to check it out myself,
although off the top off my head its for mobile devices, ... but who
knows.

-- 
Chris.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[consultores agropecuarios]

El jue, 27-09-2007 a las 19:54 +0200, Michelle Konzack escribió:
> Am 2007-09-22 11:29:09, schrieb Douglas A. Tutty:
> > I run a bunch of old machines.  
> > 
> > Now that SELinux is integrated (compiled in) to various pieces of
> > Debian, is there a penalty even if its not activated?
> > 
> > Thanks,
> > 
> > Doug.
> - END OF REPLIED MESSAGE -
> 
> Since SElinux is NOT ACTIVATED by default, there is NO PENALTY.
> 

NOT ACTIVATED, hummm...
from dmesg:
Security Framework v1.0.0 initialized
SELinux:  Disabled at boot.

> Thanks, Greetings and nice Day
> Michelle Konzack
> Systemadministrator
> Tamay Dogan Network
> Debian GNU/Linux Consultant
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[David Brodbeck]

On Sep 27, 2007, at 10:54 AM, Michelle Konzack wrote:


Am 2007-09-24 10:01:12, schrieb David Brodbeck:

Same basic problem, I think.  To apply security patches you have to
recompile.  To recompile, you have to use GCC, which is a resource
hog.  You'd get old and die waiting for "make world" to finish on a
machine with 64 megs of RAM.

One solution, if there are faster machines on the LAN, might be to
use distcc.  But then you're not "really" stand-alone.
- END OF REPLIED MESSAGE  
-


But you know, that you can get NetBSD as binary distribution like  
Debian?


Yes, I do.  But last I knew they only distributed security patches  
(between distribution releases) as source code, so if you want the  
latest fixes you have to compile from source.  It's possible this  
changed -- I still run FreeBSD, but I haven't looked at NetBSD lately.


On the plus side, security fixes to the base system are fairly  
uncommon in *BSD -- since FreeBSD 6.2 was released in January, there  
have only been six of them, for example.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Michelle Konzack wrote:

Am 2007-09-25 03:11:39, schrieb Mike McCarty:

It would take more than just kernel, of course. I am investigating
LFS. Gentoo seems to have accepted SELinux as well, though since
it is a source distro most of the work would be easier in that
case, perhaps.


And where is the problem with Debian?


I didn't say there was a problem with Debian. If I'm going to go
to extra effort to be able to control what is on my machine,
I'm going to have to load another distro. I don't currently have
Debian on my machine, so it makes more sense to switch to a
distro which has goals closer to my own.

[snip]

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-25 03:11:39, schrieb Mike McCarty:
> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since
> it is a source distro most of the work would be easier in that
> case, perhaps.

And where is the problem with Debian?

Build a small environement where you can rebuild a bunch Debian packages
at once, where you build first all packages which had the SElinux patches.

Then install a minimal Dbian-Repository where you have the WHOLE base
and the SELinux-Patched packages replaced by your own packages. 

Since I ned sometimes (72 packages) special options enabled, I have build
such environement which autobuild the new (in general stable) packages if
they appear in the Debian security repository.

Then my customers do not use the official Debian-Repositories but my own.

So, no tell me where the problem is?

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-24 22:16:02, schrieb Mumia W..:
> However, the dependency upon SElinux is more recent. There may be time 
> to remove it before it becomes too entrenched and before its tentacles 
> probe too deeply into Debian.
> 
> I hope it's not too late. I wish I'd educated myself about SELinux 
> earlier, and I wish I could've participated in the discussions about 
> SElinux in Debian. I believe that if more Debian users were aware of the 
> radical nature of SElinux, its complexity and the number of core 
> libraries and utilities that would have to be changed to accommodate it, 
> SElinux's entry into Debian could have been averted.
> 
> Now we are in the unfortunate position of having to convince the 
> maintainer of SElinux to advocate for the removal of his baby from his 
> O/S. :-(
- END OF REPLIED MESSAGE -

It seems you have no clue about "What SElinux is".

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-24 17:26:01, schrieb Ron Johnson:
> On 09/24/07 15:46, David Brodbeck wrote:
> > But if you're worried that the NSA is targeting you, you've got a lot of
> > more serious concerns.  Your monitor is radiating signals that can be
> > picked up and decoded.
> 
> Even LCD monitors?

YES.  Even follow-org of the KGB is using a simpel Videocamera and
filming the lightchange of your room where you are workng with your
computer and then us a special program to reconstruct the images of
your Computers Desktop...

Do not think, they are idiots

> Shielded TP?

You need a EMP-Secured Environement...

> > Internet connection is easy to tap.
> 
> GPG?

Right, but conection to the Internet is violation the EMP-Policy.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Hi John and *,

Am 2007-09-23 20:08:04, schrieb John Hasler:
> consultores writes:
> > The real problem with SELinux is that it come from a really well known
> > untrusted organization around the globe...
> 
> Has it occurred to you that if NSA wanted to slip a backdoor into Linux and
> thought that they could slip it past all the prying eyes that they just
> might be intelligent enough to do it by planting a mole among the kernel
> developers?  Better get started on doing background checks on all of them!
> 
> BTW what are you doing that you believe would interest the NSA?  If I had
> such secrets I wouldn't store them on any computer (and I certainly
> wouldn't express my fears on a public mailing list).
- END OF REPLIED MESSAGE -

ACK!

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-23 11:14:57, schrieb Douglas A. Tutty:
> On small systems, what about the penalty of just larger binaries?  I
> have some older boxes with 16-64 MB ram.  
> 
> Doug.
- END OF REPLIED MESSAGE -

Look at  to get FPM's for your old 486
machines or faster EDO's for the Pentium 1.

I have 486 machines running too, but not a singel one has less
then 64 MBytes...

(MSI MS-4144 with each four USR Courier I-Modems on ISA-Slots)

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-24 18:16:32, schrieb Mike McCarty:
> I beg to differ. One of the "selling points" of DSL is that
> it has a small RAM footprint. I have run it on a 486 with
> 16MB of RAM.

I was runnin Debian GNU/Linux 2.1 Slink on a Tohiba T1950CT
with a 486dx50 and 12 MByte of Ram.

in 2005 I have up graded to Woody with Linux 2.4 and it war working fine

> Yes, there is that. Part of it is that we live in a "throw away"
> world these days. What benefit expending effort keeping old machines
> going, when people want the newer faster ones, anyway?

:-)  --  You are owner of a Museum.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-24 10:01:12, schrieb David Brodbeck:
> Same basic problem, I think.  To apply security patches you have to  
> recompile.  To recompile, you have to use GCC, which is a resource  
> hog.  You'd get old and die waiting for "make world" to finish on a  
> machine with 64 megs of RAM.
> 
> One solution, if there are faster machines on the LAN, might be to  
> use distcc.  But then you're not "really" stand-alone.
- END OF REPLIED MESSAGE -

But you know, that you can get NetBSD as binary distribution like Debian?

I was runnin NetBSD before starting with Debian in 1999-04 and as you
know, "Don't touch a runing system!"  --  Mean, my 386dx33 (16MB or ram)
is running as DCF-77 (it is an ISA card) receiver plus "ntpd" for my
local network since over 9 years now and was never hacked

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Michelle Konzack]

Am 2007-09-22 11:29:09, schrieb Douglas A. Tutty:
> I run a bunch of old machines.  
> 
> Now that SELinux is integrated (compiled in) to various pieces of
> Debian, is there a penalty even if its not activated?
> 
> Thanks,
> 
> Doug.
- END OF REPLIED MESSAGE -

Since SElinux is NOT ACTIVATED by default, there is NO PENALTY.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: Penalty of SELinux?

[Manoj Srivastava]

On Tue, 25 Sep 2007 11:28:13 -0500, Mike McCarty
<[EMAIL PROTECTED]> said:  

> Manoj Srivastava wrote:
> As I said, it might be a good starting place. If the patching of the
> source is done right, it's dependent upon a define anyway.  I don't
> have high hopes for that.

All the patches I have submitted for inclusion in Debian have
 been conditional --  as is the case in patches accepted upstream that I
 am aware of

>  "Unpatching" is not difficult, as there are
> diff tools which can do that automatically if one has the original
> source. Providing that back to Gentoo, along with a polite request,
> might get access to original source.

> If, as you say, the changes are "small", then pulling the unmodified
> sources for those things which are changed for SELinux should not be
> difficult. Since one is going to build from source anyway, then the
> rest is a shoe in.

> I'm not so sure the changes are "small".

> If Gentoo is not amenable, then there's SLAX, which I believe does not
> have SELinux.

Well, best of luck in searching for a distribution that meets
 your goals.

manoj
-- 
He'll sit here and he'll say, "Do this!  Do that!"  And nothing will
happen. Harry S. Truman, on presidential power
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Manoj Srivastava wrote:
On Tue, 25 Sep 2007 03:11:39 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 


[snip]


packages. It is fewer than that.  Compared to 10k source packages,
however, even the bloated figure of 50 is "few". BTW, I count 29
packages.



I was using the published figure for Red Hat. They included such apps
as ls, ps, mv, cp, etc. which are modified either to display or
propagate attributes of processes or files.


ls is not a package. ls comes from coreutils. Normal


I didn't say it was. You used the word "package". I used the word
"app". If each "package" has two "apps" then we get close to 50,
I think.


 applications need zero modification under SELinux. Some applications


I didn't claim anything like what you say here.

[snip]


 which manage security may need to be made SELinux-aware,   although
 this can often be done with PAM plugins, which is a standard way to do
 this kind of thing in modern Unix & Linux OSs. 

It would take more than just kernel, of course. I am investigating
LFS. Gentoo seems to have accepted SELinux as well, though since it is
a source distro most of the work would be easier in that case,
perhaps.


Not really.  You'll have to unpatch a whole bunch of gentoo
 source packages. And gentoo is further along than us with respect to
 security policy integration -- the keeper of the SELinux security
 policy is a gentoo core developer.


As I said, it might be a good starting place. If the patching of
the source is done right, it's dependent upon a define anyway.
I don't have high hopes for that. "Unpatching" is not difficult,
as there are diff tools which can do that automatically if one
has the original source. Providing that back to Gentoo, along
with a polite request, might get access to original source.

If, as you say, the changes are "small", then pulling the
unmodified sources for those things which are changed
for SELinux should not be difficult. Since one is going to
build from source anyway, then the rest is a shoe in.

I'm not so sure the changes are "small".

If Gentoo is not amenable, then there's SLAX, which I believe
does not have SELinux.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mumia W..]

On 09/25/2007 08:41 AM, Ron Johnson wrote:

On 09/24/07 22:16, Mumia W.. wrote:

[...]
Your Debian machine is probably not dependent upon tcl, but Debian has 
been dependent upon python for a long time.


Base install is dependent on Python?  I find that very hard to believe.



Well what do you know?

Although python is installed by default, it's possible to remove it 
without breaking the system.


For some strange reason, I had imagined that aptitude depended upon python.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Tue, 25 Sep 2007 05:04:15 -0400, Kevin Mark <[EMAIL PROTECTED]>
said:  

> There are 2 approaches to application security that I am aware of:
> app-armour and SELinux.  Debian has SELinux, although Ubuntu now has
> both and seems to be favouring app-armour for some odd reason that I
> have not investigated.  If Ubuntu continue, it could be another rift
> with unknown consequences. I have read about more distros supporting
> SELinux than app-armour. I have also read some on SELinux and of the
> discussions of it on -devel and seem to think its the way to go.
> Hopefully sometime in the near future we will have either a targeted
> or strict policy that is usable for average web server use in one or
> two releases that is not as complicated as it is now. IIRC the folks
> on that mission include Manoj and Eric Shubert. who I wish well on
> that AVC filled road.  Cheers, K

App Armour is smoke and mirrors, and does not really provide
 security, in my opinion -- since it is oh so very easily
 bypassable. People in the security field believe that pathnames are an
 inappropriate security mechanism.

Label-based security (exemplified by SELinux, and its
 predecessors in MLS systems) attaches security policy to the data. As
 the data flows through the system, the label sticks to the data, and so
 security policy with respect to this data stays intact. This is a good
 approach for ensuring secrecy, the kind of problem that intelligence
 agencies have.  Labels are also a good approach for ensuring integrity,
 which is one of the most fundamental aspects of the security model
 implemented by SELinux.

SELinux security is enforced within the kernel, and an
 application which  does not have permission to access an object will
 simply receive an error  using the standard Unix mechanisms already
 used for DAC.  For example, a  write(2) might fail with an EACCES error
 code. 

Traditional Unix security in fact does not primarily depend on
 pathnames,  but on DAC ownership and permission attributes stored in
 the file's inode.  DAC is of course a form of labeled security.

Pathname-based security (exemplified in AppArmor, and its
 predecessor Janus http://www.cs.berkeley.edu/~daw/janus/ and other
 systems like Systrace http://www.citi.umich.edu/u/provos/systrace/ )
 try to get by with a half hearted attempt by attaching "security"
 policy to the name of the data.  Create a symlink, bind mount, or
 anything like that, and poof, there goes your security.  In other
 words, namespace  manipulation, object aliasing (e.g. symlinks),
 application error,  configuration error, corrupted files, corrupted
 filesystems, misbehavior due to malware infection or various forms user
 error makes security go away.  A pathname tells you nothing reliable
 about the security properties of the object its pointing to.  It is
 simply a mechanism for locating and  referring to an object.

In fact, I am not sure how you can provide integrity support
 without labels. AppArmor confines a process, but does not effectively
 confine its output files, precisely because the output files are not
 labeled. Other processes are free to access the unlabeled, potentially
 malicious output files without restriction. Without security labeling
 of the objects being accessed, you can't protect against software
 flaws, which has been a pretty fundamental and widely understood
 requirement in general computing for at least a decade. 

You need a way of providing global and persistent security
 guarantees for the data, and per-program profiles based on pathname
 don't get you there.  There is no system view in AA, just a bunch of
 disconnected profiles.


Bad security is dangerous, really dangerous.

As an aside on the penalty of SELinux, the upfront labeling cost
 of labeled MAC is not characteristically different to that of
 traditional DAC labeling.  Ideally, an SELinux system is installed from
 scratch with its security labels as well as DAC attributes, with the
 labeling behavior for newly created objects being controlled from a
 well defined policy.  You probably want to avoid getting into the
 situation of needing a TE relabel on a production system in any case.

manoj
 getting off the soap box
http://www.nsa.gov/selinux/papers/inevitability/
-- 
I'm a Hollywood writer; so I put on a sports jacket and take off my
brain.
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Tue, 25 Sep 2007 03:11:39 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 

> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty
>> <[EMAIL PROTECTED]> said:
>> 
>>> Manoj Srivastava wrote:
 On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
 <[EMAIL PROTECTED]> said:
 
> Manoj Srivastava wrote:
>> Firstly: Very few packages have been actively patched to link
> Something like 50 or so. ls, mv, cp, etc.
 Source packages.  All those are from coreutils, no?
>> 
>>> I believe so. My response was in regards to "very few". I suppose
>>> that is a subjective response. "50 or so" is not subjective.
>> 
>> My response suggests that 50 or so is inaccurate, if you count source
>> packages. It is fewer than that.  Compared to 10k source packages,
>> however, even the bloated figure of 50 is "few". BTW, I count 29
>> packages.

> I was using the published figure for Red Hat. They included such apps
> as ls, ps, mv, cp, etc. which are modified either to display or
> propagate attributes of processes or files.

ls is not a package. ls comes from coreutils. Normal
 applications need zero modification under SELinux. Some applications
 which manage security may need to be made SELinux-aware,   although
 this can often be done with PAM plugins, which is a standard way to do
 this kind of thing in modern Unix & Linux OSs. 


--8> ---cut here---start->8---
>> libselinux1 Reverse Depends: coreutils cron dbus dmraid dmsetup fcron
>> gdm gnome-user-share libblkid1 libdevmapper1.02.1 libgnomevfs2-0
>> libnss-db libpam-modules librpm4.4 logrotate loop-aes-utils lvm2
>> mount nautilus openssh-server passwd policycoreutils prelink rpm
>> sysvinit sysvinit-utils udev util-linux xdm
--8> ---cut here---end--->8---

> So, ls can't display the extended attributes of the files?  And ps
> can't display the attributes of the processes?  And find can't be used
> selectively to find files based on the extended attributes?

Again, you seem to be confusing executables with packages. ls is
 not a package. (try dpkg -l ls).

But yes, unless coreutils is patched, ls -Z would probably
 return an error.
--8<---cut here---start->8---
__> ls -Z .login  
-rw-r--r--  srivasta srivasta user_u:object_r:user_home_t:s0   .login
--8<---cut here---end--->8---


> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since it is
> a source distro most of the work would be easier in that case,
> perhaps.

Not really.  You'll have to unpatch a whole bunch of gentoo
 source packages. And gentoo is further along than us with respect to
 security policy integration -- the keeper of the SELinux security
 policy is a gentoo core developer.

manoj
-- 
"The real problem with SDI is that it doesn't kill anybody." Tom Neff
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/07 22:16, Mumia W.. wrote:
> On 09/24/2007 07:52 PM, Miles Bader wrote:
>> Mike McCarty <[EMAIL PROTECTED]> writes:
  even 708 old hardware seems to be running it fine for me.
>>> My objection is to having on my machine at all.
>>
>> I object to having python and tcl on my machine.
>>
> 
> Your Debian machine is probably not dependent upon tcl, but Debian has
> been dependent upon python for a long time.

Base install is dependent on Python?  I find that very hard to believe.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+Q/uS9HxQb37XmcRAiYRAKDo5vwltjHeQFNsvdf1i2uxXPrQoQCfZ1se
KVra/+EcDzrs8aAl7fzcif4=
=VM+a
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Kevin Mark]

On Tue, Sep 25, 2007 at 03:11:39AM -0500, Mike McCarty wrote:
> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty 
>> <[EMAIL PROTECTED]> said: 
>>> Manoj Srivastava wrote:
 On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
 <[EMAIL PROTECTED]> said:

> Manoj Srivastava wrote:
>> Firstly: Very few packages have been actively patched to link
> Something like 50 or so. ls, mv, cp, etc.
 Source packages.  All those are from coreutils, no?
>>> I believe so. My response was in regards to "very few". I suppose that
>>> is a subjective response. "50 or so" is not subjective.
>> My response suggests that 50 or so is inaccurate, if you count
>>  source packages. It is fewer than that.  Compared to 10k source
>>  packages, however, even the bloated figure of 50  is "few". BTW, I
>>  count 29 packages.
>
> I was using the published figure for Red Hat. They included such
> apps as ls, ps, mv, cp, etc. which are modified either to display
> or propagate attributes of processes or files.
>
>> --8<---cut here---start->8---
>> libselinux1 Reverse Depends:
>>   coreutils cron dbus dmraid dmsetup fcron gdm gnome-user-share
>>   libblkid1 libdevmapper1.02.1 libgnomevfs2-0 libnss-db libpam-modules
>>   librpm4.4 logrotate loop-aes-utils lvm2 mount nautilus openssh-server
>>   passwd policycoreutils prelink rpm sysvinit sysvinit-utils udev
>>   util-linux xdm
>> --8<---cut here---end--->8---
>
> So, ls can't display the extended attributes of the files?
> And ps can't display the attributes of the processes?
> And find can't be used selectively to find files based on
> the extended attributes?

That is it. The extented attributes, iirc, are called the 'security
context' and IIRC they are accessed with a '-Z' option (eg. 'ls -Z').

>
 Right. But a few hundred KB in memory is a smallish penalty, and
>>> More subjectivity :-)
>> All opinions are subjective.
>
> Naturally.
>
 even 708 old hardware seems to be running it fine for me.
>>> My objection is to having on my machine at all.
>> Feel free to create your own apt sources are where you
>>  specifically override the defaults you do not like. This is the only
>>  recourse for those of us who do not like some aspect of the
>>  distribution, and care enough to take the effort to fork out own
>>  packages (I do my own kernel, uml, emacs. gnus, et. al packages)
>
> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since
> it is a source distro most of the work would be easier in that
> case, perhaps.

There are 2 approaches to application security that I am aware of:
app-armour and SELinux.  Debian has SELinux, although Ubuntu now has
both and seems to be favouring app-armour for some odd reason that I
have not investigated.  If Ubuntu continue, it could be another rift
with unknown consequences. I have read about more distros supporting
SELinux than app-armour. I have also read some on SELinux and of the
discussions of it on -devel and seem to think its the way to go.
Hopefully sometime in the near future we will have either a targeted or
strict policy that is usable for average web server use in one or two
releases that is not as complicated as it is now. IIRC the folks on that
mission include Manoj and Eric Shubert. who I wish well on that AVC
filled road.
Cheers,
K

-- 
|  .''`.  == Debian GNU/Linux == |   my web site:   |
| : :' :  The  Universal |mysite.verizon.net/kevin.mark/|
| `. `'  Operating System| go to counter.li.org and |
|   `-http://www.debian.org/ |be counted! #238656   |
|  my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian!  |
|___  Unless I ask to be CCd, assume I am subscribed ___|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Manoj Srivastava wrote:
On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 


Manoj Srivastava wrote:

On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
<[EMAIL PROTECTED]> said:


Manoj Srivastava wrote:

Firstly: Very few packages have been actively patched to link

Something like 50 or so. ls, mv, cp, etc.

Source packages.  All those are from coreutils, no?



I believe so. My response was in regards to "very few". I suppose that
is a subjective response. "50 or so" is not subjective.


My response suggests that 50 or so is inaccurate, if you count
 source packages. It is fewer than that.  Compared to 10k source
 packages, however, even the bloated figure of 50  is "few". BTW, I
 count 29 packages.


I was using the published figure for Red Hat. They included such
apps as ls, ps, mv, cp, etc. which are modified either to display
or propagate attributes of processes or files.


--8<---cut here---start->8---
libselinux1 Reverse Depends:
  coreutils cron dbus dmraid dmsetup fcron gdm gnome-user-share
  libblkid1 libdevmapper1.02.1 libgnomevfs2-0 libnss-db libpam-modules
  librpm4.4 logrotate loop-aes-utils lvm2 mount nautilus openssh-server
  passwd policycoreutils prelink rpm sysvinit sysvinit-utils udev
  util-linux xdm
--8<---cut here---end--->8---


So, ls can't display the extended attributes of the files?
And ps can't display the attributes of the processes?
And find can't be used selectively to find files based on
the extended attributes?


Right. But a few hundred KB in memory is a smallish penalty, and



More subjectivity :-)


All opinions are subjective.


Naturally.


even 708 old hardware seems to be running it fine for me.



My objection is to having on my machine at all.


Feel free to create your own apt sources are where you
 specifically override the defaults you do not like. This is the only
 recourse for those of us who do not like some aspect of the
 distribution, and care enough to take the effort to fork out own
 packages (I do my own kernel, uml, emacs. gnus, et. al packages)


It would take more than just kernel, of course. I am investigating
LFS. Gentoo seems to have accepted SELinux as well, though since
it is a source distro most of the work would be easier in that
case, perhaps.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Mon, 24 Sep 2007 22:16:02 -0500, Mumia W <[EMAIL PROTECTED]> said: 

> On 09/24/2007 07:52 PM, Miles Bader wrote:
>> Mike McCarty <[EMAIL PROTECTED]> writes:
 even 708 old hardware seems to be running it fine for me.
>>> My objection is to having on my machine at all.
>> 
>> I object to having python and tcl on my machine.
>> 
>> -Miles
>> 

> Your Debian machine is probably not dependent upon tcl, but Debian has
> been dependent upon python for a long time.

> However, the dependency upon SElinux is more recent. There may be time
> to remove it before it becomes too entrenched and before its tentacles
> probe too deeply into Debian.

I think it has gone as deep as it is likely to go, and it is now
 a matter of polishing up the security policy, and trying to set up an
 install time option to allow people to boot into a secure node.  All of
 this was in place before we shipped Etch, so it is not all that recent.

> I hope it's not too late. I wish I'd educated myself about SELinux
> earlier, and I wish I could've participated in the discussions about
> SElinux in Debian. I believe that if more Debian users were aware of
> the radical nature of SElinux, its complexity and the number of core
> libraries and utilities that would have to be changed to accommodate
> it, SElinux's entry into Debian could have been averted.

I am afraid that this is rather late in the day; Etch shipped
 fully SELinux capable, with all the patches that were needed already
 in.  We are in the  phase where SELinux patches are migrating upstream;
 PAM now comes built in with all the SELinux hooks required, for
 instance, and coreutils has most of them.

> Now we are in the unfortunate position of having to convince the
> maintainer of SElinux to advocate for the removal of his baby from his
> O/S. :-(

I am willing to listen to reason.

manoj
-- 
Cole's Law: Thinly sliced cabbage.
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 

> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
>> <[EMAIL PROTECTED]> said:
>> 
>>> Manoj Srivastava wrote:
 Firstly: Very few packages have been actively patched to link
>> 
>>> Something like 50 or so. ls, mv, cp, etc.
>> 
>> Source packages.  All those are from coreutils, no?

> I believe so. My response was in regards to "very few". I suppose that
> is a subjective response. "50 or so" is not subjective.

My response suggests that 50 or so is inaccurate, if you count
 source packages. It is fewer than that.  Compared to 10k source
 packages, however, even the bloated figure of 50  is "few". BTW, I
 count 29 packages.
--8<---cut here---start->8---
libselinux1 Reverse Depends:
  coreutils cron dbus dmraid dmsetup fcron gdm gnome-user-share
  libblkid1 libdevmapper1.02.1 libgnomevfs2-0 libnss-db libpam-modules
  librpm4.4 logrotate loop-aes-utils lvm2 mount nautilus openssh-server
  passwd policycoreutils prelink rpm sysvinit sysvinit-utils udev
  util-linux xdm
--8<---cut here---end--->8---


>> 
>> Right. But a few hundred KB in memory is a smallish penalty, and

> More subjectivity :-)

All opinions are subjective.

>> even 708 old hardware seems to be running it fine for me.

> My objection is to having on my machine at all.

Feel free to create your own apt sources are where you
 specifically override the defaults you do not like. This is the only
 recourse for those of us who do not like some aspect of the
 distribution, and care enough to take the effort to fork out own
 packages (I do my own kernel, uml, emacs. gnus, et. al packages)

manoj
-- 
Bacchus: A convenient deity invented by the ancients as an excuse for
getting drunk.
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mumia W..]

On 09/24/2007 07:52 PM, Miles Bader wrote:

Mike McCarty <[EMAIL PROTECTED]> writes:

 even 708 old hardware seems to be running it fine for me.

My objection is to having on my machine at all.


I object to having python and tcl on my machine.

-Miles



Your Debian machine is probably not dependent upon tcl, but Debian has 
been dependent upon python for a long time.


However, the dependency upon SElinux is more recent. There may be time 
to remove it before it becomes too entrenched and before its tentacles 
probe too deeply into Debian.


I hope it's not too late. I wish I'd educated myself about SELinux 
earlier, and I wish I could've participated in the discussions about 
SElinux in Debian. I believe that if more Debian users were aware of the 
radical nature of SElinux, its complexity and the number of core 
libraries and utilities that would have to be changed to accommodate it, 
SElinux's entry into Debian could have been averted.


Now we are in the unfortunate position of having to convince the 
maintainer of SElinux to advocate for the removal of his baby from his 
O/S. :-(





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Steve Lamb]

Miles Bader wrote:
> I object to having python and tcl on my machine.

I can understand TCL but Python, c'mon, that's just crazy talk!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Miles Bader]

Mike McCarty <[EMAIL PROTECTED]> writes:
>>  even 708 old hardware seems to be running it fine for me.
>
> My objection is to having on my machine at all.

I object to having python and tcl on my machine.

-Miles

-- 
`There are more things in heaven and earth, Horatio,
 Than are dreamt of in your philosophy.'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/07 18:23, Mike McCarty wrote:
> consultores agropecuarios wrote:
>>
>> The real problem with SELinux is that it come from a really well known
>> untrusted organization around the globe; and if the Debian Team accep it
>> blindly, Debian is going to become as Windows; remember that, who
> 
> I don't think anyone has accepted SELinux "blindly".
> 
>> creates, know it the best; and a group of pepople could see into our own
>> machine when they want it. Particularly, i do not want that! It is
>> exactly, giving the realized work, for decades, to the enemy!
> 
> The NSA is not the enemy, unless you are trying to subvert
> the USA.

In a unipolar (and post-unipolar) world, economic espionage is just
as important as government espionage.

>   I don't want SELinux, either, but that isn't the
> reason.
> 
> But, this is getting into topic drift. On Fedora, there is
> an extensive argument going on over this.
> 
> Mike


- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+Ff1S9HxQb37XmcRAs+zAJwO0kr750xyS4VXHyRvvz3jxB8WvQCgkeLr
CPjeRL4qbuucX7aPM16=
=Te7t
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/07 17:43, David Brodbeck wrote:
> 
> On Sep 24, 2007, at 3:26 PM, Ron Johnson wrote:
>>> But if you're worried that the NSA is targeting you, you've got a lot of
>>> more serious concerns.  Your monitor is radiating signals that can be
>>> picked up and decoded.
>>
>> Even LCD monitors?
> 
> Them too:
> http://en.wikipedia.org/wiki/Van_Eck_phreaking#LCDs

One of the mentioned countermeasures of TEMPEST is "fonts".  I can
only guess that it means that the signals needed to generate GUIs
are much harder to interpret than a plain text console.

>>>And of course your
>>> Internet connection is easy to tap.
>>
>> GPG?
> 
> If they can theoretically slip a back door into SELinux without anyone
> noticing, surely slipping one into GPG isn't going to be hard. ;)

That's a good point...

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+Fd9S9HxQb37XmcRAnhtAKDpSh/ra8+7oUmTNtKG/1CLgSKLRgCfcGa/
1sUj+L+yfovrNZnaloZk/cc=
=VJuX
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Manoj Srivastava wrote:
On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 


Manoj Srivastava wrote:

Firstly: Very few packages have been actively patched to link



Something like 50 or so. ls, mv, cp, etc.


Source packages.  All those are from coreutils, no?


I believe so. My response was in regards to "very few". I suppose
that is a subjective response. "50 or so" is not subjective.

[snip]



Right. But a few hundred KB in memory is a smallish penalty, and


More subjectivity :-)


 even 708 old hardware seems to be running it fine for me.


My objection is to having on my machine at all.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty <[EMAIL PROTECTED]> said: 

> Manoj Srivastava wrote:
>> On Sun, 23 Sep 2007 11:14:57 -0400, Douglas A Tutty
>> <[EMAIL PROTECTED]> said:
>> 
>>> On small systems, what about the penalty of just larger binaries?  I
>>> have some older boxes with 16-64 MB ram.
>> 
>> Firstly: Very few packages have been actively patched to link

> Something like 50 or so. ls, mv, cp, etc.

Source packages.  All those are from coreutils, no?

>> with selinux. Second, the selinux libraries are shared libs -- so the
>> actual binary is not significantly increased in size (well, dpkg is
>> the exception, since it is linked statically with selinux).

> It does have to be in memory, however.

>> My Pentium II box with 64MB of ram seems to run in SELinux strict
>> mode just fine -- it is my firewall.

> Good for you.

Right. But a few hundred KB in memory is a smallish penalty, and
 even 708 old hardware seems to be running it fine for me.

manoj
-- 
"The chain which can be yanked is not the eternal chain." Fitch
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Mon, 24 Sep 2007 21:24:10 +0100, John Stumbles <[EMAIL PROTECTED]> said: 

> Manoj Srivastava wrote:
>> On Sun, 23 Sep 2007 17:13:59 -0700, consultores agropecuarios
>> <[EMAIL PROTECTED]> said:
>> 
>>> The real problem with SELinux is that it come from a really well
>>> known untrusted organization around the globe;
>> 
>> This is one place I differ.  I know and like Stephen Smalley, and I
>> do not look at all the products of the NSA as being, umm,
>> untrustworthy.  And it is not as if it is closed source; gazillions
>> of security conscious eyes have looked at the offering.

> "To what extent should one trust a statement that a program is free of
> Trojan horses? Perhaps it is more important to trust the people who
> wrote the software."

Don't.  Do a full audit yourself.  I have been doing that (well,
 not quite so much the LSM hooks anymore, but there are other eyes on
 that) before I accepted SELinux myself.

It is not as if the source code is hidden.  If you do not trust
 yourself to be able to find any trojans hidden there, find someone you
 can trust to do it for you.

manoj
-- 
Breadth-first search is the bulldozer of science. Randy Goebel
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

consultores agropecuarios wrote:


The real problem with SELinux is that it come from a really well known
untrusted organization around the globe; and if the Debian Team accep it
blindly, Debian is going to become as Windows; remember that, who


I don't think anyone has accepted SELinux "blindly".


creates, know it the best; and a group of pepople could see into our own
machine when they want it. Particularly, i do not want that! It is
exactly, giving the realized work, for decades, to the enemy!


The NSA is not the enemy, unless you are trying to subvert
the USA. I don't want SELinux, either, but that isn't the
reason.

But, this is getting into topic drift. On Fedora, there is
an extensive argument going on over this.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Manoj Srivastava wrote:

On Sun, 23 Sep 2007 11:14:57 -0400, Douglas A Tutty
<[EMAIL PROTECTED]> said:  


On small systems, what about the penalty of just larger binaries?  I
have some older boxes with 16-64 MB ram.


Firstly: Very few packages have been actively patched to link


Something like 50 or so. ls, mv, cp, etc.


 with selinux. Second, the selinux libraries are shared libs -- so the
 actual binary is not significantly increased in size (well, dpkg is the
 exception, since it is linked statically with selinux).


It does have to be in memory, however.


My Pentium II box with 64MB of ram seems to run in SELinux
 strict mode just fine -- it is my firewall.


Good for you.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Mike McCarty]

Douglas A. Tutty wrote:


Its not their thing either.

I know there are minidistros like DSL but DSL is small as in how much
can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
I'm also not sure how they keep up with security fixes.


I beg to differ. One of the "selling points" of DSL is that
it has a small RAM footprint. I have run it on a 486 with
16MB of RAM.


OBSD becomes new every 6 months with security patches whenever, but I
can't build with this small ram and especially this small a drive.  


My biggest problem is that there is not OS designed to be great for a
stand-alone old small computer.  An OS that can both fit on small 
resources, and be kept up-to-date without a separate build machine.  


Yes, there is that. Part of it is that we live in a "throw away"
world these days. What benefit expending effort keeping old machines
going, when people want the newer faster ones, anyway?


Linux's target is the modern desktop and the focus is on keeping up with


That is not my impression. My impression is that all UNIX like OS
target and has targeted large servers. Or at least, that's the
deployment.


new hardware.  The BSDs keep the drivers for old hardware but patches
require building and that building relies on gcc which isn't optimized
for use on old systems.  


So I'll keep looking.


I wish you success.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[David Brodbeck]

On Sep 24, 2007, at 3:26 PM, Ron Johnson wrote:
But if you're worried that the NSA is targeting you, you've got a  
lot of

more serious concerns.  Your monitor is radiating signals that can be
picked up and decoded.


Even LCD monitors?


Them too:
http://en.wikipedia.org/wiki/Van_Eck_phreaking#LCDs


   And of course your
Internet connection is easy to tap.


GPG?


If they can theoretically slip a back door into SELinux without  
anyone noticing, surely slipping one into GPG isn't going to be hard. ;)





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/07 15:46, David Brodbeck wrote:
[snip]
> 
> But if you're worried that the NSA is targeting you, you've got a lot of
> more serious concerns.  Your monitor is radiating signals that can be
> picked up and decoded.

Even LCD monitors?

>So are your network cables.

Shielded TP?

>And of course your
> Internet connection is easy to tap.

GPG?

>  You'd really better disconnect from
> the Internet and start building a Faraday cage, if you want to be safe.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+Dl5S9HxQb37XmcRAt5BAJ9A6uutDNS07IATfYt8XPDZEewPwgCfdbu8
KJ7uhnB1GkcqGEvfgY2LqdE=
=0xFb
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[David Brodbeck]

On Sep 24, 2007, at 1:24 PM, John Stumbles wrote:


Manoj Srivastava wrote:

On Sun, 23 Sep 2007 17:13:59 -0700, consultores agropecuarios
<[EMAIL PROTECTED]> said:
The real problem with SELinux is that it come from a really well  
known

untrusted organization around the globe;

This is one place I differ.  I know and like Stephen Smalley,
 and I do not look at all the products of the NSA as being, umm,
 untrustworthy.  And it is not as if it is closed source;  
gazillions of

 security conscious eyes have looked at the offering.


"To what extent should one trust a statement that a program is free  
of Trojan horses? Perhaps it is more important to trust the people  
who wrote the software."


http://cm.bell-labs.com/who/ken/trust.html


The interesting thing about this example is it's very clever and hard  
to detect -- but only if everyone is using a compiler binary that was  
itself built with a trojaned binary.  This is where the "many eyes"  
theory comes in.  The moment someone uses a non-trojaned compiler to  
compile the source code, the chain is broken.


So, if the concern is that SELinux may have a hidden trojan that is  
being perpeptuated by it somehow slipping something into GCC's output  
on-the-fly, the obvious solution would be to build your SELinux  
kernel on a machine that isn't itself running SELinux.


But if you're worried that the NSA is targeting you, you've got a lot  
of more serious concerns.  Your monitor is radiating signals that can  
be picked up and decoded.  So are your network cables.  And of course  
your Internet connection is easy to tap.  You'd really better  
disconnect from the Internet and start building a Faraday cage, if  
you want to be safe.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[John Stumbles]

Manoj Srivastava wrote:

On Sun, 23 Sep 2007 17:13:59 -0700, consultores agropecuarios
<[EMAIL PROTECTED]> said:  


The real problem with SELinux is that it come from a really well known
untrusted organization around the globe;


This is one place I differ.  I know and like Stephen Smalley,
 and I do not look at all the products of the NSA as being, umm,
 untrustworthy.  And it is not as if it is closed source; gazillions of
 security conscious eyes have looked at the offering.


"To what extent should one trust a statement that a program is free of 
Trojan horses? Perhaps it is more important to trust the people who 
wrote the software."


http://cm.bell-labs.com/who/ken/trust.html

http://en.wikipedia.org/wiki/Backdoor_(computing)#Overview
http://www.ussg.iu.edu/hypermail/linux/kernel/0311.0/0635.html


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Penalty of SELinux?

[heaven . cassanova]

give me some sex clips

--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/message/debian-user@lists.debian.org/7633342.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/24/07 12:01, David Brodbeck wrote:
> 
> On Sep 23, 2007, at 8:27 AM, Ron Johnson wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 09/23/07 10:13, Douglas A. Tutty wrote:
>> [snip]
>>>
>>> My biggest problem is that there is not OS designed to be great for a
>>> stand-alone old small computer.  An OS that can both fit on small
>>> resources, and be kept up-to-date without a separate build machine.
>>>
>>> Linux's target is the modern desktop and the focus is on keeping up with
>>> new hardware.  The BSDs keep the drivers for old hardware but patches
>>> require building and that building relies on gcc which isn't optimized
>>> for use on old systems.
>>>
>>> So I'll keep looking.
>>
>> NetBSD.
> 
> Same basic problem, I think.  To apply security patches you have to
> recompile.  To recompile, you have to use GCC, which is a resource hog. 
> You'd get old and die waiting for "make world" to finish on a machine
> with 64 megs of RAM.
> 
> One solution, if there are faster machines on the LAN, might be to use
> distcc.  But then you're not "really" stand-alone.

RSN, OBSD will be moving from gcc to pcc, which is supposed to be a
*much* faster compiler.  Maybe NetBSD will follow suit.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG9/FIS9HxQb37XmcRAoDFAKDugy96z639qX7Wk+wbZjOl8CZnHgCgjEkR
N224tFd2eY/k6zowOADYoXI=
=pYku
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[David Brodbeck]

On Sep 23, 2007, at 8:27 AM, Ron Johnson wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/23/07 10:13, Douglas A. Tutty wrote:
[snip]


My biggest problem is that there is not OS designed to be great for a
stand-alone old small computer.  An OS that can both fit on small
resources, and be kept up-to-date without a separate build machine.

Linux's target is the modern desktop and the focus is on keeping  
up with

new hardware.  The BSDs keep the drivers for old hardware but patches
require building and that building relies on gcc which isn't  
optimized

for use on old systems.

So I'll keep looking.


NetBSD.


Same basic problem, I think.  To apply security patches you have to  
recompile.  To recompile, you have to use GCC, which is a resource  
hog.  You'd get old and die waiting for "make world" to finish on a  
machine with 64 megs of RAM.


One solution, if there are faster machines on the LAN, might be to  
use distcc.  But then you're not "really" stand-alone.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

OT: Alternative OSes [was Re: Penalty of SELinux?]

[Andrew Sackville-West]

On Sun, Sep 23, 2007 at 10:30:38PM -0400, Douglas A. Tutty wrote:
> On Sun, Sep 23, 2007 at 03:43:11PM -0700, Andrew Sackville-West wrote:
> > On Sun, Sep 23, 2007 at 11:13:13AM -0400, Douglas A. Tutty wrote:
>  > 
> > > I know there are minidistros like DSL but DSL is small as in how much
> > > can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
> > > I'm also not sure how they keep up with security fixes.
>  
> > > My biggest problem is that there is not OS designed to be great for a
> > > stand-alone old small computer.  An OS that can both fit on small 
> > > resources, and be kept up-to-date without a separate build machine.  
> 
> > > Linux's target is the modern desktop and the focus is on keeping up with
> > > new hardware.  The BSDs keep the drivers for old hardware but patches
> > > require building and that building relies on gcc which isn't optimized
> > > for use on old systems.  
> > 
> > I think they're all 32+ bit, but if you're looking for something to
> > play with, you might check out something like menuet or
> > kolibrios. Both are OSes written in assembler and are pretty cool/fun
> > thigns to play with. Pretty low resource requirements. 
> 
> I'll look into it.  However, mostly, my old boxes get used as thin
> clients, so they have to have ssh and preferably X.  

yeah, they're definitely not going to work for that. Just fun toys at
the moment, I think.

A


signature.asc
Description: Digital signature

Re: Penalty of SELinux?

[Douglas A. Tutty]

On Sun, Sep 23, 2007 at 03:43:11PM -0700, Andrew Sackville-West wrote:
> On Sun, Sep 23, 2007 at 11:13:13AM -0400, Douglas A. Tutty wrote:
 > 
> > I know there are minidistros like DSL but DSL is small as in how much
> > can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
> > I'm also not sure how they keep up with security fixes.
 
> > My biggest problem is that there is not OS designed to be great for a
> > stand-alone old small computer.  An OS that can both fit on small 
> > resources, and be kept up-to-date without a separate build machine.  

> > Linux's target is the modern desktop and the focus is on keeping up with
> > new hardware.  The BSDs keep the drivers for old hardware but patches
> > require building and that building relies on gcc which isn't optimized
> > for use on old systems.  
> 
> I think they're all 32+ bit, but if you're looking for something to
> play with, you might check out something like menuet or
> kolibrios. Both are OSes written in assembler and are pretty cool/fun
> thigns to play with. Pretty low resource requirements. 

I'll look into it.  However, mostly, my old boxes get used as thin
clients, so they have to have ssh and preferably X.  

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Sun, 23 Sep 2007 17:13:59 -0700, consultores agropecuarios
<[EMAIL PROTECTED]> said:  

> The real problem with SELinux is that it come from a really well known
> untrusted organization around the globe;

This is one place I differ.  I know and like Stephen Smalley,
 and I do not look at all the products of the NSA as being, umm,
 untrustworthy.  And it is not as if it is closed source; gazillions of
 security conscious eyes have looked at the offering.

> and if the Debian Team accep it blindly, Debian is going to become as
> Windows; remember that, who

Heh. Well, I've been doing SELinux work for a while, and I am
 not doing things blindly.  For the most part, Debian developers are
 familiar with and often a part of the developer community of the
 packages they maintain, so not much of this trust blindly goes on as a
 rule.

> creates, know it the best; and a group of pepople could see into our
> own machine when they want it. Particularly, i do not want that! It is
> exactly, giving the realized work, for decades, to the enemy!

Do you have any concrete flaws you can point to, or is this just
 plain old FUD?  I'll be happy to investigate concrete bugs, trojans,
 flaws, back door, or what have you, but this vague, uncertain fear and
 doubt gives nothing concrete to work on and fix.

manoj

-- 
Finagle's First Law: If an experiment works, something has gone wrong.
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[John Hasler]

consultores writes:
> The real problem with SELinux is that it come from a really well known
> untrusted organization around the globe...

Has it occurred to you that if NSA wanted to slip a backdoor into Linux and
thought that they could slip it past all the prying eyes that they just
might be intelligent enough to do it by planting a mole among the kernel
developers?  Better get started on doing background checks on all of them!

BTW what are you doing that you believe would interest the NSA?  If I had
such secrets I wouldn't store them on any computer (and I certainly
wouldn't express my fears on a public mailing list).
-- 
John Hasler


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[consultores agropecuarios]

El dom, 23-09-2007 a las 14:41 -0500, Manoj Srivastava escribió:
> On Sun, 23 Sep 2007 11:14:57 -0400, Douglas A Tutty
> <[EMAIL PROTECTED]> said:  
> 
> > On small systems, what about the penalty of just larger binaries?  I
> > have some older boxes with 16-64 MB ram.
> 
> Firstly: Very few packages have been actively patched to link
>  with selinux. Second, the selinux libraries are shared libs -- so the
>  actual binary is not significantly increased in size (well, dpkg is the
>  exception, since it is linked statically with selinux).
> 
> My Pentium II box with 64MB of ram seems to run in SELinux
>  strict mode just fine -- it is my firewall.
> 
> manoj
> -- 

The real problem with SELinux is that it come from a really well known
untrusted organization around the globe; and if the Debian Team accep it
blindly, Debian is going to become as Windows; remember that, who
creates, know it the best; and a group of pepople could see into our own
machine when they want it. Particularly, i do not want that! It is
exactly, giving the realized work, for decades, to the enemy!

> Lord, what fools these mortals be! William Shakespeare, "A
> Midsummer-Night's Dream"
> Manoj Srivastava <[EMAIL PROTECTED]> 
> 1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Andrew Sackville-West]

On Sun, Sep 23, 2007 at 11:13:13AM -0400, Douglas A. Tutty wrote:
> On Sat, Sep 22, 2007 at 09:51:52PM -0500, Ron Johnson wrote:
> > On 09/22/07 20:44, Douglas A. Tutty wrote:
> > > Well, it speeded up somewhat by ditching the install-by-default locales
> > > stuff and sticking with 'C'.  I use icewm.  On Etch, xorg takes a lot
> > > more memory than on OBSD.  Enough that with one xterm only, Etch hits
> > > swap and OBSD has 15 MB ram free.  I can open Konqueror via ssh and
> > > still not hit swap (unless I open more than 4 tabs).  
> > > 
> > > So yes, etch is slower and uses more memory than OpenBSD.
> > > 
> > > On the other hand, nothing is easier to set up than Debian with
> > > aptitutude.  OBSD's packages don't come with startup scripts; you have
> > > to write your own.  I've also had some interoperability problems when
> > > sshing from OBSD to Etch.  Had to find a common TERM when on VTs
> > > (TERM=screen works), and lately iceweasel doesn't work via ssh from
> > > OBSD.
> > > 
> > > Also, as a desktop, OBSD is difficult.  
> > > 
> > > So its a tradeoff.  I haven't decided which way to go for the P-II, but
> > > I'll stick with Etch for my Athlon64 for the multi-media ease.
> > 
> > What's FreeBSD like of small systems?
> 
> Its not their thing either.
> 
> I know there are minidistros like DSL but DSL is small as in how much
> can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
> I'm also not sure how they keep up with security fixes.
> 
> OBSD becomes new every 6 months with security patches whenever, but I
> can't build with this small ram and especially this small a drive.  
> 
> My biggest problem is that there is not OS designed to be great for a
> stand-alone old small computer.  An OS that can both fit on small 
> resources, and be kept up-to-date without a separate build machine.  
> 
> Linux's target is the modern desktop and the focus is on keeping up with
> new hardware.  The BSDs keep the drivers for old hardware but patches
> require building and that building relies on gcc which isn't optimized
> for use on old systems.  

I think they're all 32+ bit, but if you're looking for something to
play with, you might check out something like menuet or
kolibrios. Both are OSes written in assembler and are pretty cool/fun
thigns to play with. Pretty low resource requirements. 


A


signature.asc
Description: Digital signature

Re: Penalty of SELinux?

[Alex Samad]

On Sun, Sep 23, 2007 at 11:13:13AM -0400, Douglas A. Tutty wrote:
> On Sat, Sep 22, 2007 at 09:51:52PM -0500, Ron Johnson wrote:
> > On 09/22/07 20:44, Douglas A. Tutty wrote:
> > > Well, it speeded up somewhat by ditching the install-by-default locales
> > > stuff and sticking with 'C'.  I use icewm.  On Etch, xorg takes a lot
> > > more memory than on OBSD.  Enough that with one xterm only, Etch hits
> > > swap and OBSD has 15 MB ram free.  I can open Konqueror via ssh and
> > > still not hit swap (unless I open more than 4 tabs).  
> > > 
> > > So yes, etch is slower and uses more memory than OpenBSD.
> > > 
> > > On the other hand, nothing is easier to set up than Debian with
> > > aptitutude.  OBSD's packages don't come with startup scripts; you have
> > > to write your own.  I've also had some interoperability problems when
> > > sshing from OBSD to Etch.  Had to find a common TERM when on VTs
> > > (TERM=screen works), and lately iceweasel doesn't work via ssh from
> > > OBSD.
> > > 
> > > Also, as a desktop, OBSD is difficult.  
> > > 
> > > So its a tradeoff.  I haven't decided which way to go for the P-II, but
> > > I'll stick with Etch for my Athlon64 for the multi-media ease.
> > 
> > What's FreeBSD like of small systems?
> 
> Its not their thing either.
> 
> I know there are minidistros like DSL but DSL is small as in how much
> can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
> I'm also not sure how they keep up with security fixes.
> 
> OBSD becomes new every 6 months with security patches whenever, but I
> can't build with this small ram and especially this small a drive.  
> 
> My biggest problem is that there is not OS designed to be great for a
> stand-alone old small computer.  An OS that can both fit on small 
> resources, and be kept up-to-date without a separate build machine.  
> 
> Linux's target is the modern desktop and the focus is on keeping up with
> new hardware.  The BSDs keep the drivers for old hardware but patches
> require building and that building relies on gcc which isn't optimized
> for use on old systems.  
> 
> So I'll keep looking.
depending on what you are trying to do, opwnrt - build for 8M-16M flash 
machines, they have a compile for x86 ?  I believe based on debian 
www.openwrt.org


> 
> Doug.
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 


signature.asc
Description: Digital signature

Re: Penalty of SELinux?

[Manoj Srivastava]

On Sun, 23 Sep 2007 11:14:57 -0400, Douglas A Tutty
<[EMAIL PROTECTED]> said:  

> On small systems, what about the penalty of just larger binaries?  I
> have some older boxes with 16-64 MB ram.

Firstly: Very few packages have been actively patched to link
 with selinux. Second, the selinux libraries are shared libs -- so the
 actual binary is not significantly increased in size (well, dpkg is the
 exception, since it is linked statically with selinux).

My Pentium II box with 64MB of ram seems to run in SELinux
 strict mode just fine -- it is my firewall.

manoj
-- 
Lord, what fools these mortals be! William Shakespeare, "A
Midsummer-Night's Dream"
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Henrique de Moraes Holschuh]

On Sun, 23 Sep 2007, Douglas A. Tutty wrote:
> On small systems, what about the penalty of just larger binaries?  I
> have some older boxes with 16-64 MB ram.  

Ever looked at just how many 'non-essential' libs we link (from a
small-system PoV)?

Debian is *not* the distro for anyone that needs to optimize memory use like
that.  This has little to do with SELinux, which is just yet another lib,
and not even a big one at that...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/23/07 10:13, Douglas A. Tutty wrote:
[snip]
> 
> My biggest problem is that there is not OS designed to be great for a
> stand-alone old small computer.  An OS that can both fit on small 
> resources, and be kept up-to-date without a separate build machine.  
> 
> Linux's target is the modern desktop and the focus is on keeping up with
> new hardware.  The BSDs keep the drivers for old hardware but patches
> require building and that building relies on gcc which isn't optimized
> for use on old systems.  
> 
> So I'll keep looking.

NetBSD.

- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG9oXNS9HxQb37XmcRAhdcAKDIS9AW4lPSHlHHGaHx0t/nMrKV1QCgxJgM
U8fR6ipPuc6Z1yjueZD31QY=
=VwDJ
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Douglas A. Tutty]

On Sat, Sep 22, 2007 at 11:38:29PM -0500, Manoj Srivastava wrote:
> On Sat, 22 Sep 2007 11:29:09 -0400, Douglas A Tutty
> <[EMAIL PROTECTED]> said:  
> 
> > I run a bunch of old machines.  Now that SELinux is integrated
> > (compiled in) to various pieces of Debian, is there a penalty even if
> > its not activated?
> 
> Not that one can discern.  An active SELinux running in
>  enforcing mode can have upto 7-8% performance hit, but some patches are
>  going into 2.6.24 that might improve the performance.
> 
> Of course, take all bench marks with a grain of salt, including
>  this one; it all depends on your particular load pattern; and system
>  resources, etc, etc.
> 

On small systems, what about the penalty of just larger binaries?  I
have some older boxes with 16-64 MB ram.  

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Douglas A. Tutty]

On Sat, Sep 22, 2007 at 09:51:52PM -0500, Ron Johnson wrote:
> On 09/22/07 20:44, Douglas A. Tutty wrote:
> > Well, it speeded up somewhat by ditching the install-by-default locales
> > stuff and sticking with 'C'.  I use icewm.  On Etch, xorg takes a lot
> > more memory than on OBSD.  Enough that with one xterm only, Etch hits
> > swap and OBSD has 15 MB ram free.  I can open Konqueror via ssh and
> > still not hit swap (unless I open more than 4 tabs).  
> > 
> > So yes, etch is slower and uses more memory than OpenBSD.
> > 
> > On the other hand, nothing is easier to set up than Debian with
> > aptitutude.  OBSD's packages don't come with startup scripts; you have
> > to write your own.  I've also had some interoperability problems when
> > sshing from OBSD to Etch.  Had to find a common TERM when on VTs
> > (TERM=screen works), and lately iceweasel doesn't work via ssh from
> > OBSD.
> > 
> > Also, as a desktop, OBSD is difficult.  
> > 
> > So its a tradeoff.  I haven't decided which way to go for the P-II, but
> > I'll stick with Etch for my Athlon64 for the multi-media ease.
> 
> What's FreeBSD like of small systems?

Its not their thing either.

I know there are minidistros like DSL but DSL is small as in how much
can they pack onto a small CD, not how to shoehorn into 16-32 MB ram.
I'm also not sure how they keep up with security fixes.

OBSD becomes new every 6 months with security patches whenever, but I
can't build with this small ram and especially this small a drive.  

My biggest problem is that there is not OS designed to be great for a
stand-alone old small computer.  An OS that can both fit on small 
resources, and be kept up-to-date without a separate build machine.  

Linux's target is the modern desktop and the focus is on keeping up with
new hardware.  The BSDs keep the drivers for old hardware but patches
require building and that building relies on gcc which isn't optimized
for use on old systems.  

So I'll keep looking.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Manoj Srivastava]

On Sat, 22 Sep 2007 11:29:09 -0400, Douglas A Tutty
<[EMAIL PROTECTED]> said:  

> I run a bunch of old machines.  Now that SELinux is integrated
> (compiled in) to various pieces of Debian, is there a penalty even if
> its not activated?

Not that one can discern.  An active SELinux running in
 enforcing mode can have upto 7-8% performance hit, but some patches are
 going into 2.6.24 that might improve the performance.

Of course, take all bench marks with a grain of salt, including
 this one; it all depends on your particular load pattern; and system
 resources, etc, etc.

manoj
-- 
You were s'posed to laugh!
Manoj Srivastava <[EMAIL PROTECTED]> 
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Ron Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/22/07 20:44, Douglas A. Tutty wrote:
> On Sat, Sep 22, 2007 at 09:44:36PM -0300, Henrique de Moraes Holschuh wrote:
>  
>>> I know.  my 486 won't run debian anymore.  Not enough ram.  Runs great
>>> with OBSD.  My P-II runs quite slow with Etch (OK with Sarge).  Also
>>> runs great with OBSD.
>> Etch should run great on a P-II, as long as you ditch the heavy-weight
>> desktop environments, and keep the number of packets installed under control
>> (otherwise apt/dpkg will require too much RAM, and hit swap too heavily).
> 
> Well, it speeded up somewhat by ditching the install-by-default locales
> stuff and sticking with 'C'.  I use icewm.  On Etch, xorg takes a lot
> more memory than on OBSD.  Enough that with one xterm only, Etch hits
> swap and OBSD has 15 MB ram free.  I can open Konqueror via ssh and
> still not hit swap (unless I open more than 4 tabs).  
> 
> So yes, etch is slower and uses more memory than OpenBSD.
> 
> On the other hand, nothing is easier to set up than Debian with
> aptitutude.  OBSD's packages don't come with startup scripts; you have
> to write your own.  I've also had some interoperability problems when
> sshing from OBSD to Etch.  Had to find a common TERM when on VTs
> (TERM=screen works), and lately iceweasel doesn't work via ssh from
> OBSD.
> 
> Also, as a desktop, OBSD is difficult.  
> 
> So its a tradeoff.  I haven't decided which way to go for the P-II, but
> I'll stick with Etch for my Athlon64 for the multi-media ease.

What's FreeBSD like of small systems?


- --
Ron Johnson, Jr.
Jefferson LA  USA

Give a man a fish, and he eats for a day.
Hit him with a fish, and he goes away for good!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG9dTIS9HxQb37XmcRAh0uAJ48dHP+f+gqUxsfxpGQ2DthmeeQ7wCfaZI+
9EUU45iDU8+hc5IDA7hPATQ=
=isCj
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Douglas A. Tutty]

On Sat, Sep 22, 2007 at 09:44:36PM -0300, Henrique de Moraes Holschuh wrote:
 
> > I know.  my 486 won't run debian anymore.  Not enough ram.  Runs great
> > with OBSD.  My P-II runs quite slow with Etch (OK with Sarge).  Also
> > runs great with OBSD.
> 
> Etch should run great on a P-II, as long as you ditch the heavy-weight
> desktop environments, and keep the number of packets installed under control
> (otherwise apt/dpkg will require too much RAM, and hit swap too heavily).

Well, it speeded up somewhat by ditching the install-by-default locales
stuff and sticking with 'C'.  I use icewm.  On Etch, xorg takes a lot
more memory than on OBSD.  Enough that with one xterm only, Etch hits
swap and OBSD has 15 MB ram free.  I can open Konqueror via ssh and
still not hit swap (unless I open more than 4 tabs).  

So yes, etch is slower and uses more memory than OpenBSD.

On the other hand, nothing is easier to set up than Debian with
aptitutude.  OBSD's packages don't come with startup scripts; you have
to write your own.  I've also had some interoperability problems when
sshing from OBSD to Etch.  Had to find a common TERM when on VTs
(TERM=screen works), and lately iceweasel doesn't work via ssh from
OBSD.

Also, as a desktop, OBSD is difficult.  

So its a tradeoff.  I haven't decided which way to go for the P-II, but
I'll stick with Etch for my Athlon64 for the multi-media ease.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Henrique de Moraes Holschuh]

On Sat, 22 Sep 2007, Douglas A. Tutty wrote:
> > Apart from one copy of the libs on RAM that is shared by all other stuff,
> > and (maybe) some extra grow in the data segments, no.  And if you care about
> > that, you'd better be pissed off at something else than SE Linux, which is
> > small...  we have some damn big libs linked everywhere.
> 
> I know.  my 486 won't run debian anymore.  Not enough ram.  Runs great
> with OBSD.  My P-II runs quite slow with Etch (OK with Sarge).  Also
> runs great with OBSD.

Etch should run great on a P-II, as long as you ditch the heavy-weight
desktop environments, and keep the number of packets installed under control
(otherwise apt/dpkg will require too much RAM, and hit swap too heavily).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Douglas A. Tutty]

On Sat, Sep 22, 2007 at 07:39:49PM -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 22 Sep 2007, Douglas A. Tutty wrote:
> > Now that SELinux is integrated (compiled in) to various pieces of
> > Debian, is there a penalty even if its not activated?
> 
> Apart from one copy of the libs on RAM that is shared by all other stuff,
> and (maybe) some extra grow in the data segments, no.  And if you care about
> that, you'd better be pissed off at something else than SE Linux, which is
> small...  we have some damn big libs linked everywhere.
> 

I know.  my 486 won't run debian anymore.  Not enough ram.  Runs great
with OBSD.  My P-II runs quite slow with Etch (OK with Sarge).  Also
runs great with OBSD.

Thanks.

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Penalty of SELinux?

[Henrique de Moraes Holschuh]

On Sat, 22 Sep 2007, Douglas A. Tutty wrote:
> Now that SELinux is integrated (compiled in) to various pieces of
> Debian, is there a penalty even if its not activated?

Apart from one copy of the libs on RAM that is shared by all other stuff,
and (maybe) some extra grow in the data segments, no.  And if you care about
that, you'd better be pissed off at something else than SE Linux, which is
small...  we have some damn big libs linked everywhere.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Penalty of SELinux?

[Douglas A. Tutty]

I run a bunch of old machines.  

Now that SELinux is integrated (compiled in) to various pieces of
Debian, is there a penalty even if its not activated?

Thanks,

Doug.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]