SELinux

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

SELinux

Arvind Autar
Helllo,

I have been using debian for quite some time now, how ever I have
watched several distrobutions implentating so many great ideas, and I
have been wondering why such a robust distorbution as debian
GNU/Linux(*) hasn't done this. One of them is:

SELinux

If SELinux is also suitable for desktop users for example if we look
at the targeted policy (for fedora and RHEL) it
shows that it doesn't restrict users sessions. Short conclusion, there
is no loss  of functionality, why hasn't debian implented SELinux as
default?


(Even we could get the right support for it in 'experimental')


- Arvind

(Could you be so kind to CC me, I'm not subscribed.)

Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Mike McCarty
Arvind Autar wrote:

> Helllo,
>
> I have been using debian for quite some time now, how ever I have
> watched several distrobutions implentating so many great ideas, and I
> have been wondering why such a robust distorbution as debian
> GNU/Linux(*) hasn't done this. One of them is:
>
> SELinux
>
> If SELinux is also suitable for desktop users for example if we look
> at the targeted policy (for fedora and RHEL) it
> shows that it doesn't restrict users sessions. Short conclusion, there
> is no loss  of functionality, why hasn't debian implented SELinux as
> default?

Over in the Fedora lists, quite a number of the defects are related
to SELinux. I've noticed that enabling SELinux took away quite a bit
of functionality, not by design, but by defect.

If it gets added to Debian, I suggest that it be shipped disabled.

Frankly, unless one is running an Apache server or the like, I see
no usefulness in it. And even if one runs a server like Apache,
who is to say that SELinux doesn't add as many exploitable defects
as holes it plugs, if not more?

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Henrique de Moraes Holschuh
In reply to this post by Arvind Autar
On Wed, 21 Sep 2005, Arvind Autar wrote:
> is no loss  of functionality, why hasn't debian implented SELinux as
> default?

It is not that simple.  We are doing it slowly.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Ron Johnson-3
On Wed, 2005-09-21 at 16:49 -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 21 Sep 2005, Arvind Autar wrote:
> > is no loss  of functionality, why hasn't debian implented SELinux as
> > default?
>
> It is not that simple.  We are doing it slowly.

To flesh that out some:
        Fine-grain security is a *pain* in the arse.  It's not
easy to do right, and it necessitates vigilance, since adding new
apps very well might mean new or changed MAC rules.

For systems on insecure or restricted/classified networks, it's
wonderful.  For 98% of us, it's too much complexity for not enough
benefit over:
        carefully chosen apps
        turned-off unused daemons
        a good h/w firewall
        strong iptables rules.

--
-----------------------------------------------------------------
Ron Johnson, Jr.
Temporarily not of Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

"Everybody today seems to be in such a terrible rush, anxious for
greater developments and greater riches and so on, so that
children have very little time for their parents. Parents have
very little time for each other, and in the home begins the
disruption of peace of the world."
Mother Teresa


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Bernd Eckenfels
In article <[hidden email]> you wrote:
> For systems on insecure or restricted/classified networks, it's
> wonderful.  For 98% of us, it's too much complexity for not enough
> benefit over:
>        carefully chosen apps
>        turned-off unused daemons
>        a good h/w firewall
>        strong iptables rules.

Biba Low-Watermark is here pretty interesting, since it requires a bit less
setup. Linux supports that with Lomac.

Looks like IBM is researching on some SELinux based hybrid models which they
call SLIM (with TPM hardware support):
http://www.acsac.org/2004/workshop/David-Safford.pdf

However looks like lomac is kind of postponed, since nobody is funding LSM
work. However it is part of FreeBSD current.
http://opensource.sparta.com/lomac/

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Arvind Autar
In reply to this post by Mike McCarty
Hello,

Selinux is perhaps not there yet, but debian could give it a hand No
third party hand if I may say so.

However, how much of the time is it the software devolpers mistake
rather then SELinux's mistake?

Another different question, how does debian handle fork bomb
protection? Is this kernel related?

>cat /etc/security/limits.conf

@dev hard core 100000
@dev soft nproc 20
@dev hard nproc 35
@dev -    maxlogins 10

If the user is added to the group "dev" then it will prevent atacks
like: perl -e "fork while fork"
 http://en.wikipedia.org/wiki/Fork_bomb

however, atacks like: in c: main(){while(1){fork();}}; in bash:  while
: ; do tail /dev/urandom & done ; wait
do seem to work. There is a lack of documentation about this issue on
the debian.org documentation references. Maybe someone could clear
this up. A protection against these things would be nice, just like in
the old days when there was a default setting in the host tcp/ip
wrapper.

Cheers,

Arvind

(Could you please be so kind and CC me, I'm not subscribed )


2005/9/21, Mike McCarty <[hidden email]>:

> Arvind Autar wrote:
> > Helllo,
> >
> > I have been using debian for quite some time now, how ever I have
> > watched several distrobutions implentating so many great ideas, and I
> > have been wondering why such a robust distorbution as debian
> > GNU/Linux(*) hasn't done this. One of them is:
> >
> > SELinux
> >
> > If SELinux is also suitable for desktop users for example if we look
> > at the targeted policy (for fedora and RHEL) it
> > shows that it doesn't restrict users sessions. Short conclusion, there
> > is no loss  of functionality, why hasn't debian implented SELinux as
> > default?
>
> Over in the Fedora lists, quite a number of the defects are related
> to SELinux. I've noticed that enabling SELinux took away quite a bit
> of functionality, not by design, but by defect.
>
> If it gets added to Debian, I suggest that it be shipped disabled.
>
> Frankly, unless one is running an Apache server or the like, I see
> no usefulness in it. And even if one runs a server like Apache,
> who is to say that SELinux doesn't add as many exploitable defects
> as holes it plugs, if not more?
>
> Mike
> --
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!
>

Reply | Threaded
Open this post in threaded view
|

Re: SELinux

Arvind Autar
http://home.tiscali.cz:8080/~cz210552/forkbomb.html

software that can be used to test your system.

2005/9/24, Arvind Autar <[hidden email]>:

> Hello,
>
> Selinux is perhaps not there yet, but debian could give it a hand No
> third party hand if I may say so.
>
> However, how much of the time is it the software devolpers mistake
> rather then SELinux's mistake?
>
> Another different question, how does debian handle fork bomb
> protection? Is this kernel related?
>
> >cat /etc/security/limits.conf
>
> @dev hard core 100000
> @dev soft nproc 20
> @dev hard nproc 35
> @dev -    maxlogins 10
>
> If the user is added to the group "dev" then it will prevent atacks
> like: perl -e "fork while fork"
>  http://en.wikipedia.org/wiki/Fork_bomb
>
> however, atacks like: in c: main(){while(1){fork();}}; in bash:  while
> : ; do tail /dev/urandom & done ; wait
> do seem to work. There is a lack of documentation about this issue on
> the debian.org documentation references. Maybe someone could clear
> this up. A protection against these things would be nice, just like in
> the old days when there was a default setting in the host tcp/ip
> wrapper.
>
> Cheers,
>
> Arvind
>
> (Could you please be so kind and CC me, I'm not subscribed )
>
>
> 2005/9/21, Mike McCarty <[hidden email]>:
> > Arvind Autar wrote:
> > > Helllo,
> > >
> > > I have been using debian for quite some time now, how ever I have
> > > watched several distrobutions implentating so many great ideas, and I
> > > have been wondering why such a robust distorbution as debian
> > > GNU/Linux(*) hasn't done this. One of them is:
> > >
> > > SELinux
> > >
> > > If SELinux is also suitable for desktop users for example if we look
> > > at the targeted policy (for fedora and RHEL) it
> > > shows that it doesn't restrict users sessions. Short conclusion, there
> > > is no loss  of functionality, why hasn't debian implented SELinux as
> > > default?
> >
> > Over in the Fedora lists, quite a number of the defects are related
> > to SELinux. I've noticed that enabling SELinux took away quite a bit
> > of functionality, not by design, but by defect.
> >
> > If it gets added to Debian, I suggest that it be shipped disabled.
> >
> > Frankly, unless one is running an Apache server or the like, I see
> > no usefulness in it. And even if one runs a server like Apache,
> > who is to say that SELinux doesn't add as many exploitable defects
> > as holes it plugs, if not more?
> >
> > Mike
> > --
> > p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> > This message made from 100% recycled bits.
> > You have found the bank of Larn.
> > I can explain it for you, but I can't understand it for you.
> > I speak only for myself, and I am unanimous in that!
> >
>