| Main Archive Page > Month Archives > debian-security archives |
Re: SELinux on Squeeze?
From: Laurentiu Pancescu <lpancescu_at_nospam>Date: Fri Dec 30 2011 - 14:06:14 GMT
To: russell@coker.com.au
Hello Russell,
is there any difference between i386 and amd64 as to how much protection
SELinux is able to provide? Earlier, stuff like NX was only available on
64-bit processors; are there still such differences?
On 12/30/11 14:15 , Russell Coker wrote:
> The support is quite good. I run a bunch of Squeeze servers with SE Linux.
That's encouraging. I saw the wiki page was also edited by you around
April 2010, I guess I'll give it another try.
> As for Lenny, I expect if you added appropriate entries to /etc/modules or
> used audit2allow you would have got it working.
It didn't occur to me to add anything to /etc/modules, but I did try to
add the rules suggested by audit2allow. It compiled the policy, I added
it, but it still didn't work - I probably did something wrong (I had
only read the wiki page before and skimmed through the Fedora 5 SELinux
FAQ). I gave up after a day or so, it was my only system and couldn't
work. I should have read more before jumping in - mea culpa. Is there
any other documentation about SELinux except the one linked from the
wiki, your blog and the NSA paper? Do any Debian administration books
address SELinux?
> I can't imagine what the benefit would be in using "official" packages that I
> created and uploaded to Debian over using "unofficial" packages that I created
> and couldn't get in a Squeeze update because the changes would be too great or
> I didn't get time to go through the process of applying for them to be put in
> an update.
Well, your post a few hours ago about getting hacked (in taz's thread)
scared me into thinking that the official packages might be safer... :)
OTOH, I know you used to have a public SELinux server with root access
for anyone to try, so I guess it can't be _that_ bad.
> You will need to label those web server binaries as httpd_exec_t, use
> "semanage fcontext -a" to prevent a restorecon operation from undoing such
> changes. Also you might need to generate some extra policy with audit2allow
> if they happen to do something different to Apache. But the potential policy
> changes should be quite small, there really isn't much that Apache doesn't do.
> In many ways Apache could be regarded as the most complex daemon that we
> support in Debian. According to SE Linux policy the MTAs are the only
> competition for that.
Thanks, I'll try that in a VM first, with your "unofficial" packages.
>> P.S. Russell, if you are reading this, lots and lots of thanks for the
>> years of work on SELinux under Debian - I think we would have probably
>> never got SELinux on Debian without your efforts.
> I'm glad you appreciate it.
>
> Debian was the first distribution to support SE Linux.
I didn't know that, one associates SELinux mostly with RedHat-based
distros nowadays.
I remember first considering SELinux after the hacking of a few Debian
servers some years ago; the post-mortem analysis mentioned that SELinux
would have prevented it and recommended enabling it if possible (was it
Wouter's blog?). I also remember Manoj fought quite hard to get SELinux
included by default in Debian, but many developers opposed it being
active by default, like in Fedora. Too bad.
Thanks,
Laurentiu
-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/4EFDC556.8050707@googlemail.com