| View previous topic :: View next topic |
| Author |
Message |
0n0w1c
Apprentice
Joined: 02 Mar 2004
Posts: 273
|
 Posted: Sat Jun 18, 2005 4:57 pm Post subject: Is now a good time to convert to selinux? |
 |
|
I have been running on gentoo for about two years so I am fairly comfortable with it. I am getting an itchy trigger finger to try selinux.. I am using great restraint from just doing it now and asking questions later...
The line in the hardened docs about the workstation not being supported has stopped me.
Even redhat installs selinux by default these days... so why so much caution with gentoo?
Am I really asking for trouble if I convert?
emerge info:
| Code: |
Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r9-tao i686)
=================================================================
System uname: 2.6.11-gentoo-r9-tao i686 AMD Athlon(tm) MP 2400+
Gentoo Base System version 1.6.12
Python: dev-lang/python-2.3.5 [2.3.5 (#2, Apr 30 2005, 18:06:53)]
ccache version 2.3 [enabled]
dev-lang/python: 2.3.5
sys-apps/sandbox: [Not Present]
sys-devel/autoconf: 2.13, 2.59-r6
sys-devel/automake: 1.8.5-r3, 1.5, 1.6.3, 1.9.5, 1.7.9-r1, 1.4_p6
sys-devel/binutils: 2.15.92.0.2-r10
sys-devel/libtool: 1.5.16
virtual/os-headers: 2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-Os -march=athlon-mp -ftracer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-Os -march=athlon-mp -ftracer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ http://gentoo.seren.com/gentoo ftp://mirrors.tds.net/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow X Xaw3d acpi alsa apache2 avi bitmap-fonts bonobo cdr cgi crypt cups curl cyrus dba dga dvd dvdr eds emboss encode esd ethereal fam fastcgi fbcon font-server foomaticdb fortran gcc-libffi gd gd-external gdbm gif gimp gimpprint gnome gnomedb gnustep gphoto2 gpm gs gstreamer gtk gtk2 gtkhtml ialsa imagemagick imap imlib imlib2 ipv6 ipv6arpa java javascript jikes jit jpeg junit lcd lcms ldap lesstif libg++ libgda libwww mad md5sum mikmod mime mmx mmx2 motif mozilla mp3 mpeg mplayer ncurses network nls nocardbus nptl objc odbc ogg oggvorbis opengl openssh oss pam pdflib perl php png posix prelude pwdb python qt quicktime radeon readline real sasl sdk sdl snmp speex spell sse sse2 ssl svga tcltk tcpd tiff transcode truetype truetype-fonts type1-fonts unicode usb videos vim-with-x vorbis wmf xfs xinetd xml2 xmms xprint xv xvid zeo zlib video_cards_radeon userland_GNU kernel_linux elibc_glibc"
Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
|
world (sorted):
| Code: |
app-admin/logrotate
app-admin/syslog-ng
app-cdr/cdrecord-prodvd
app-cdr/xcdroast
app-editors/nano
app-office/openoffice
app-portage/gentoolkit
app-portage/ufed
app-text/acroread
app-text/rcs
dev-java/blackdown-jdk
dev-php/mod_php
dev-php/php
dev-util/ccache
dev-util/ddd
dev-util/eclipse-sdk
dev-util/strace
dev-util/subversion
gnome-base/gnome
gnome-extra/gnome-audio
mail-client/mozilla-thunderbird
mail-mta/postfix
media-fonts/aquafont
media-fonts/aquapfont
media-fonts/artwiz-fonts
media-fonts/corefonts
media-fonts/freefonts
media-fonts/gnu-gs-fonts-other
media-fonts/intlfonts
media-fonts/lfpfonts-fix
media-fonts/lfpfonts-var
media-fonts/sharefonts
media-fonts/tengwar-fonts
media-fonts/ttf-bitstream-vera
media-fonts/ttf-gentium
media-fonts/urw-fonts
media-gfx/splashutils
media-libs/win32codecs
media-sound/alsa-utils
media-video/mplayer
net-analyzer/tcpdump
net-analyzer/tcptraceroute
net-analyzer/traceroute
net-dns/bind
net-dns/bind-tools
net-firewall/firestarter
net-firewall/iptables
net-ftp/gftp
net-ftp/vsftpd
net-im/gaim
net-mail/cyrus-imap-admin
net-mail/cyrus-imapd
net-misc/netkit-telnetd
net-misc/ntp
net-misc/rdesktop
net-print/hpoj
net-www/mplayerplug-in
net-www/netscape-flash
sys-apps/acl
sys-apps/hotplug
sys-apps/slocate
sys-boot/grub
sys-fs/lvm2
sys-fs/udev
sys-kernel/gentoo-sources
sys-libs/glibc
sys-process/vixie-cron
www-client/links
www-client/mozilla-firefox
x11-libs/gtk+
x11-misc/numlockx
x11-misc/xpad
x11-misc/xscreensaver
x11-misc/xsetleds
xfce-base/xfce4
xfce-base/xfce4-extras
xfce-base/xfdesktop
xfce-extra/terminal
xfce-extra/xfce4-weather
|
|
|
| Back to top |
|
 |
Master Shake
l33t
Joined: 10 Apr 2005
Posts: 755
Location: Wilmington, Delaware
|
| Posted: Sat Jun 18, 2005 6:39 pm Post subject: |
|
|
You know I kinda want to do some selinux stuff too. But I'm thinking that its going to be easier to reinstall the entire system from scratch with selinux support. I know my brother tried to install selinux on a computer that was running slackware. He did it, but after awhile he was just too pissed off at the thing.
_________________
System Specs:
64-bit gentoo linux
Q6600 @ 3.2Ghz
P35 Chipset
4 Gigs 800mhz 4-4-4-12
Nvidia GeForce 8800 GTX @ 630mhz |
|
| Back to top |
|
|
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Sat Jun 18, 2005 7:30 pm Post subject: |
|
|
Redhat/fedora are not running a full selinux system by default. They are using what they call the targeted policy by default (there is also strict policy). That means that only the applications for which the have created policies run restricted by selinux, all other applications run unrestricted. The available policies cover mainly the basic system and server applications. Desktop applications mostly run unrestricted.
Gentoo does not have a targeted policy, so everything runs restricted by selinux if you enable enforcing mode. Unfortunately Gentoo does not have much policies for desktop applications at the moment, though people are working on it.
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
0n0w1c
Apprentice
Joined: 02 Mar 2004
Posts: 273
|
| Posted: Mon Jun 20, 2005 11:57 pm Post subject: |
|
|
Well, I made the leap!
So after, rather than before, I ask... can I get back? If so... is there a howto?
Just asking... so far so good. |
|
| Back to top |
|
|
0n0w1c
Apprentice
Joined: 02 Mar 2004
Posts: 273
|
| Posted: Tue Jun 21, 2005 12:12 am Post subject: |
|
|
While I am asking and seemingly determined to b0rk my system... how about PAX?
For those that may be wondering... the road via conversion to selinux was not without a few issues, your mileage may vary.
Splashutils can not be compiled with a hardened gcc (no issue for me, I just unmerged it).
Most every large package needed to be re-emerged because of the selinux, hardened or ldap use flags.
The biggest issue is that ufed keeps adding the "-selinux" flag... is my config missing something?
gdm has an issue with logging in as a normal user, "Unable to set executable context" in permissive mode. I have not looked into this yet, I simply re-emerged it with "-selinux" until I have time to figure it out.
I am holding off on re-emerging openoffice (hardened flag)... won't version 2 be available soon, even with ~x86? |
|
| Back to top |
|
|
0n0w1c
Apprentice
Joined: 02 Mar 2004
Posts: 273
|
| Posted: Sun Jul 03, 2005 9:04 pm Post subject: |
|
|
| Quote: |
gdm has an issue with logging in as a normal user, "Unable to set executable context" in permissive mode. I have not looked into this yet, I simply re-emerged it with "-selinux" until I have time to figure it out.
|
The issue is just what the error states.
The solution:
Edit /etc/security/selinux/src/policy/users, adding the user to the bottom of the file, per the gentoo docs.
I added the user account with "roles { staff_r sysadm_r }" so that it could go superuser. I have not yet tried it with a non-wheel user but I suspect it will work. |
|
| Back to top |
|
|
kalisphoenix
Apprentice
Joined: 28 Sep 2003
Posts: 211
Location: Ohio
|
| Posted: Fri Jul 08, 2005 7:53 pm Post subject: |
|
|
| I dunno. I just started a clean install with SELinux and, when I emerged hardened-sources, I returned to find that SELinux decided to UNmerge everything on my system (including portage and every other useful prog). I'm going to give it another try, but I'm not sure I'm digging this... |
|
| Back to top |
|
|
Cinquero
Apprentice
Joined: 24 Jun 2004
Posts: 249
|
| Posted: Sat Jul 09, 2005 4:40 pm Post subject: |
|
|
It would be quite nice to have some sort of user module for SELinux, ie. something that allows me to run SELinux unconstrained but force domain transitions for specific processes. It would be really great if such a thing could be integrated with KDE.
Typical use cases:
1.) Set up a rule that automatically forces a domain transition for every process which connects to a network socket.
2.) Limit access permissions for firefox, licq etc. to ~/.mozilla and /usr etc.
Modifying the SELinux rules interactively would be even better: start from a not-allowed-to-do-anything policy and then, when the app tries to do something, pop up a message window and decide to grant or deny that specific permission...
That would be even very useful to "write" policy files for all sorts of apps and daemons. |
|
| Back to top |
|
|
Maedhros
Bodhisattva
Joined: 14 Apr 2004
Posts: 5511
Location: Durham, UK
|
| Posted: Sun Jul 10, 2005 8:12 am Post subject: |
|
|
Moved from Installing Gentoo to Networking & Security.
_________________
No-one's more important than the earthworm. |
|
| Back to top |
|
|
|
Networking & Security
