I there some docs (FAQ/ReleaseNotes?) that describe how to make changes
to policy in FC5?
On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote:
> I there some docs (FAQ/ReleaseNotes?) that describe how to make changes
> to policy in FC5?
Doing minor tweaks is described at:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
As for wholesale policy changes, I don't k
Paul Howarth wrote:
On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote:
I there some docs (FAQ/ReleaseNotes?) that describe how to make changes
to policy in FC5?
Doing minor tweaks is described at:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
I've taken a look at A
Dennis Jacobfeuerborn wrote:
Paul Howarth wrote:
On Mon, 2006-03-13 at 15:30 -0700, Orion Poplawski wrote:
I there some docs (FAQ/ReleaseNotes?) that describe how to make
changes to policy in FC5?
Doing minor tweaks is described at:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Aud
> Not an answer to your question but there's an interesting discussion on
> AppArmor and SELinux in Dan Walsh's blog:
>
> http://danwalsh.livejournal.com/424.html
maybe it's time to accept that SELinux as technology is doomed. Not
because the code is bad, but because it's Just Too Complex(tm).
On 3/14/06, Dennis Jacobfeuerborn wrote:
> I've taken a look at AppArmor and it looks like a much more incremental
> and easier to use solution than selinux. It's not as powerful but all this
> power doesn't help much if most people will turn off selinux anyway because
> it gets in the way. Has an
Arjan van de Ven wrote:
Not an answer to your question but there's an interesting discussion on
AppArmor and SELinux in Dan Walsh's blog:
http://danwalsh.livejournal.com/424.html
maybe it's time to accept that SELinux as technology is doomed. Not
because the code is bad, but because it's Jus
I'm not sure I buy that SELinux is doomed.
While it may be complex we use it on all of our linux servers and
desktops. We've had a few problems but that caused us to read the docs
and learn how to write policy to deal with these things.
Just like any new technology there are going to be learning
Jeff Spaleta wrote:
On 3/14/06, Dennis Jacobfeuerborn wrote:
I've taken a look at AppArmor and it looks like a much more incremental
and easier to use solution than selinux. It's not as powerful but all this
power doesn't help much if most people will turn off selinux anyway because
it gets in
Orion Poplawski wrote:
I there some docs (FAQ/ReleaseNotes?) that describe how to make
changes to policy in FC5?
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
On Tue, Mar 14, 2006 at 03:24:45PM +0100, Dennis Jacobfeuerborn wrote:
> complex solutions. AppArmor looks more attractive to me because while it
> may not be perfect at least it's usable and easily understandable compared
> to selinuxes black wizardry.
Lots of things can look pretty but it does
On Tue, 2006-03-14 at 15:13 +0100, Arjan van de Ven wrote:
> > Not an answer to your question but there's an interesting discussion on
> > AppArmor and SELinux in Dan Walsh's blog:
> >
> > http://danwalsh.livejournal.com/424.html
>
>
> maybe it's time to accept that SELinux as technology is doo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel J Walsh wrote:
> Orion Poplawski wrote:
>
>> I there some docs (FAQ/ReleaseNotes?) that describe how to make
>> changes to policy in FC5?
>>
> http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
>
This should be widely linked and beco
Alan Cox wrote:
On Tue, Mar 14, 2006 at 03:24:45PM +0100, Dennis Jacobfeuerborn wrote:
complex solutions. AppArmor looks more attractive to me because while it
may not be perfect at least it's usable and easily understandable compared
to selinuxes black wizardry.
Lots of things can look prett
Stephen Smalley wrote:
On Tue, 2006-03-14 at 15:13 +0100, Arjan van de Ven wrote:
Not an answer to your question but there's an interesting discussion on
AppArmor and SELinux in Dan Walsh's blog:
http://danwalsh.livejournal.com/424.html
maybe it's time to accept that SELinux as technology is
On Tue, 2006-03-14 at 16:55 +0100, Dennis Jacobfeuerborn wrote:
> Stephen Smalley wrote:
> > No, there is quite a bit of ongoing work on improving useability for
> > SELinux, including several new higher level tools that have been
> > recently released.
> [snip]
>
> Where can I get more informatio
On Tue, Mar 14, 2006 at 15:13:15 +0100,
Arjan van de Ven wrote:
>
> maybe it's time to accept that SELinux as technology is doomed. Not
> because the code is bad, but because it's Just Too Complex(tm).
> Complexity kills, and I think the time it is taking to get to the point
> where at least le
Arjan van de Ven wrote:
Not an answer to your question but there's an interesting discussion on
AppArmor and SELinux in Dan Walsh's blog:
http://danwalsh.livejournal.com/424.html
maybe it's time to accept that SELinux as technology is doomed. Not
because the code is bad, but because it'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dennis Jacobfeuerborn wrote:
> Alan Cox wrote:
>
>> On Tue, Mar 14, 2006 at 03:24:45PM +0100, Dennis Jacobfeuerborn wrote:
>>
>>> complex solutions. AppArmor looks more attractive to me because while
>>> it may not be perfect at least it's usable and
On 3/14/06, Dennis Jacobfeuerborn wrote:
> Alan Cox wrote:
> > On Tue, Mar 14, 2006 at 03:24:45PM +0100, Dennis Jacobfeuerborn wrote:
> >> complex solutions. AppArmor looks more attractive to me because while it
> >> may not be perfect at least it's usable and easily understandable compared
> >> t
On Tue, Mar 14, 2006 at 04:52:54PM +0100, Dennis Jacobfeuerborn wrote:
> I understand that but if this system that "solves the fundamental problems"
> is so complex that most people just turn it off then the gain in security
> you get is pretty much theoretical. Security isn't an all-or-nothing t
> I equate SELinux to the point when personal firewalls were first being
> introduced to each computer, everyone at that point just turned them
> off. But eventually the technology got to the point where most people
> don't
> realize they have a firewall running on there system.
I start hearin
On 3/14/06, Stephen J. Smoogen wrote:
> 3) They found a legitimate problem with selinux but did not have the
> tools to debug it or had the training needed to fix it.
I'm getting more comfortable with at least troubleshooting selinux
errors by looking for avc error messages in the logs. But somet
On Tue, 2006-03-14 at 11:33 -0500, Jeff Spaleta wrote:
> On 3/14/06, Stephen J. Smoogen wrote:
> > 3) They found a legitimate problem with selinux but did not have the
> > tools to debug it or had the training needed to fix it.
>
> I'm getting more comfortable with at least troubleshooting selinu
Jeff Spaleta wrote:
On 3/14/06, Stephen J. Smoogen wrote:
3) They found a legitimate problem with selinux but did not have the
tools to debug it or had the training needed to fix it.
I'm getting more comfortable with at least troubleshooting selinux
errors by looking for avc error mes
>
> I'm over-simplifying, but the main source of complexity in the current
> SELinux environment is its comprehensive nature. None of the security
> models currently used in SELinux is particularly complex. The MLS
> security model is counter-intuitive, but it's also not currently used
> ;-P A
On 3/14/06, Stephen Smalley wrote:
> Under FC4 and earlier:
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008
>
> Under FC5, you install the enableaudit.pp package, see the end of:
> http://fedoraproject.org/wiki/SELinux/Troubleshooting
>
> The wiki could use some help...
excel
Stephen J. Smoogen writes:
>
> To be honest, we have found that the following people turn off SeLinux
> for the following reasons:
>
> 1) They were told that xyz would be fixed by turning off SeLinux. In
> most cases, they the problem with xyz was really a config issue that
> they then fix
Florian La Roche wrote:
>>I equate SELinux to the point when personal firewalls were first being
>>introduced to each computer, everyone at that point just turned them
>>off. But eventually the technology got to the point where most people
>>don't
>>realize they have a firewall running on there
> 5) They don't want enhanced security. I suspect this is a sizable
>number of people.
or rather, they don't care as long as it doesn't get in the way at all.
On Tue, Mar 14, 2006 at 11:33:05 -0500,
>
> Are there selinux interactions which will not generate avc messages as
> a matter of selinux design? If so how do i troubleshoot or even
> confirm that selinux policy is what an application is tripping over in
> those situations?
I believe there is a w
On Tue, 2006-03-14 at 17:45 +0100, Arjan van de Ven wrote:
> which is because the policy design seems to keep starting from the wrong
> place. That policy design is aimed for a "strict" policy. Even the so
> called targeted policy tries to work in a strict way.
>
> With this I mean it tries to be
Hi.
On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
> Go read:
> http://www.ranum.com/security/computer_security/editorials/dumb/
So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
On Tue, 2006-03-14 at 12:30 -0500, Stephen Smalley wrote:
> On Tue, 2006-03-14 at 17:45 +0100, Arjan van de Ven wrote:
> > which is because the policy design seems to keep starting from the wrong
> > place. That policy design is aimed for a "strict" policy. Even the so
> > called targeted policy tr
On Tue, 2006-03-14 at 18:36 +0100, Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
>
> > Go read:
> > http://www.ranum.com/security/computer_security/editorials/dumb/
>
> So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
Ta
On Tue, 2006-03-14 at 16:54 +, Andrew Haley wrote:
> Stephen J. Smoogen writes:
> >
> > To be honest, we have found that the following people turn off SeLinux
> > for the following reasons:
> >
> > 1) They were told that xyz would be fixed by turning off SeLinux. In
> > most cases, they
On 3/14/06, Ralf Corsepius wrote:
> On Tue, 2006-03-14 at 16:54 +, Andrew Haley wrote:
> > Stephen J. Smoogen writes:
> Finally, one fundamental problem, probably most users ask them
> themselves: Is coping with all the issues SELinux causes worth the
> effort, and does it really help the use
Arjan van de Ven wrote:
>
> The parallel to firewalls has been made several times. But in fact the
> linux firewall does exactly this; the "related" ruleset is a dynamic
> behavior that allows more than strictly would be needed to be allowed,
> yet it's an effective way to keep things tight when y
Ralf Ertzinger wrote:
Hi.
On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
Go read:
http://www.ranum.com/security/computer_security/editorials/dumb/
So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
No targeted policy is confining the select
On Tue, Mar 14, 2006 at 09:26:01AM -0700, Stephen J. Smoogen wrote:
> To be honest, we have found that the following people turn off SeLinux
> for the following reasons:
[1-4]
5. They copied their / through remounting and rsync to another
partition on another disk to be able to change the partitio
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-6dcc9a7f5f2d7e7ee033e777caacebb434713dd7
"The most common reason for a silent denial is when the policy
contains an explicit dontaudit rule to suppress audit messages. The
dontaudit rule is often used this way when a benign de
The selinux cra^Wlabels should have been taken into account in
cp/tar/rsync and other applications that copy executables before
cp has supported selinux for quite some time now.
As far as recovering from disaster is concerned... there's the option of
turning selinux off, or enabling it in
smo...@gmail.com ("Stephen J. Smoogen") writes:
>> Finally, one fundamental problem, probably most users ask them
>> themselves: Is coping with all the issues SELinux causes worth the
>> effort, and does it really help the user?
>>
>> I guess, all Fedora users have been fighting with SELinux at so
On Tue, 2006-03-14 at 07:34 -0800, Shahms King wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Daniel J Walsh wrote:
> > Orion Poplawski wrote:
> >
> >> I there some docs (FAQ/ReleaseNotes?) that describe how to make
> >> changes to policy in FC5?
> >>
> > http://fedoraproject.org/wi
Once upon a time, Ivan Gyurdiev said:
> cp has supported selinux for quite some time now.
The fact that it "supports" SELinux by adding a new option doesn't
really help. People know "cp -p" to preserve ownership and permissions,
but you have to use (the annoyingly verbose) "cp --preserve=all" to
Ralf Corsepius wrote:
Fundamental design problem: SELinux policies are centralized and
therefore not easy to customize.
As of FC5 this is no longer the case. Packages can bundle SELinux policy
modules, which provides for relatively easy customisation.
Paul.
On Tue, 2006-03-14 at 18:44 +0100, Arjan van de Ven wrote:
> So it seems we disagree some ;-) Lets gets some individual statements
> out then:
>
> 1) It's not feasible to enumerate all the bad things that can happen.
>I think we both agree on this based on your reaction.
Yes.
> 2) For someth
On Tue, 2006-03-14 at 21:35 +0100, Enrico Scholz wrote:
> SELinux is unsuitable for certain tasks (e.g. chroot operations) due to its
> broken/non existent kernel API (requiring two filesystems and operating
> with pathnames is not very efficient, difficultly/insecure and does not
> work in chroots
On Tue, 2006-03-14 at 16:03 -0600, Chris Adams wrote:
> Once upon a time, Ivan Gyurdiev said:
> > cp has supported selinux for quite some time now.
>
> The fact that it "supports" SELinux by adding a new option doesn't
> really help. People know "cp -p" to preserve ownership and permissions,
> b
On Tue, Mar 14, 2006 at 02:25:04PM -0500, Ivan Gyurdiev wrote:
>
> >The selinux cra^Wlabels should have been taken into account in
> >cp/tar/rsync and other applications that copy executables before
> >
> cp has supported selinux for quite some time now.
What in my sentence made you think this
50 matches
Mail list logo