7:53 a.m.
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
Thank you for your consideration,
Davide Bolcioni
6:10 p.m.
On Wed, 27 Apr 2005 14:53:25 +0200, Davide Bolcioni wrote:
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
I don't think there is any such document. Right now you can't distribute
policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at
least that's the impression I got last time I talked to the author
- There are no formal policy compatibility ... er ... policies, between
distributions as far as I'm aware. So the meaning of a given bit of
policy might change depending on the distributions specific
implementation.
What exactly are your goals? Do you want to lock down your own program or
is this more about compatibility?
I'm pretty interested in letting Linux software developers ship policy as
part of their own binary packages to allow for better lockdown/least priv
on systems that support it but I don't think the technology is there yet.
thanks -mike
3:14 a.m.
Mike Hearn wrote:
I don't think there is any such document. Right now you can't
distribute
policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at
least that's the impression I got last time I talked to the author
Maybe I'm so badly in need of a tutorial as to be unable to express my
question, see below.
- There are no formal policy compatibility ... er ... policies,
between
distributions as far as I'm aware. So the meaning of a given bit of
policy might change depending on the distributions specific
implementation.
That's part of what I would be looking for. How would I find out about the
policies in effect ?
What exactly are your goals? Do you want to lock down your own
program or
is this more about compatibility?
The initial goal is compatibility: ship a possibly distribution-specific
package which works regardless of whether the customer uses no selinux,
the targeted policy or the strict policy. Making it policy-specific
would be ugly, as I would get a combinatorial explosion of .rpm packages
to ship.
I realize that it might not be possible to do that just at the packaging
level, i.e. that changes might be necessary upstream, but I am currently
unable to tell which changes are appropriate for the packaging stage and
which would impact the code.
Once that goal is achieved, being able to lock down the software would
be the next step; I guess that a less than cursory knowledge of SELinux
would be necessary to do that, however.
I'm pretty interested in letting Linux software developers ship
policy as
part of their own binary packages to allow for better lockdown/least priv
on systems that support it but I don't think the technology is there yet.
Well, maybe the technology is not there but it hurts already: we
currently have code which does not work because of selinux. It is old
code which we are more interested in phasing out than supporting, but we
would like not to get bitten in the future.
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
3:20 a.m.
Mike Hearn wrote:
I don't think there is any such document. Right now you can't
distribute
policy anyway:
- The binary policy modules framework isn't fully deployed yet, or at
least that's the impression I got last time I talked to the author
Maybe I'm so badly in need of a tutorial as to be unable to express my
question, see below.
- There are no formal policy compatibility ... er ... policies,
between
distributions as far as I'm aware. So the meaning of a given bit of
policy might change depending on the distributions specific
implementation.
That's part of what I would be looking for. How would I find out about the
policies in effect ?
What exactly are your goals? Do you want to lock down your own
program or
is this more about compatibility?
The initial goal is compatibility: ship a possibly distribution-specific
package which works regardless of whether the customer uses no selinux,
the targeted policy or the strict policy. Making it policy-specific
would be ugly, as I would get a combinatorial explosion of .rpm packages
to ship.
I realize that it might not be possible to do that just at the packaging
level, i.e. that changes might be necessary upstream, but I am currently
unable to tell which changes are appropriate for the packaging stage and
which would impact the code.
Once that goal is achieved, being able to lock down the software would
be the next step; I guess that a less than cursory knowledge of SELinux
would be necessary to do that, however.
I'm pretty interested in letting Linux software developers ship
policy as
part of their own binary packages to allow for better lockdown/least priv
on systems that support it but I don't think the technology is there yet.
Well, maybe the technology is not there but it hurts already: we
currently have code which does not work because of selinux. It is old
code which we are more interested in phasing out than supporting, but we
would like not to get bitten in the future.
Thank you for your consideration,
Davide Bolcioni
8:54 a.m.
On Thu, 28 Apr 2005 10:20:55 +0200, Davide Bolcioni wrote:
That's part of what I would be looking for. How would I find out
about the
policies in effect ?
You can review their sources.
The initial goal is compatibility: ship a possibly
distribution-specific
package which works regardless of whether the customer uses no selinux,
the targeted policy or the strict policy. Making it policy-specific
would be ugly, as I would get a combinatorial explosion of .rpm packages
to ship.
OK. What exactly broke your app? Targetted isn't supposed to interfere
with most programs (except that sometimes that doesn't seem to be the
case, I'm still researching this too!). So you should be able to ignore
that. It may be that the shlib_textrel_t thing got you, so far that's the
only part of targetted I know about which isn't actually backwards
compatible.
As for strict policy, well I don't know what the default there is. I guess
the default is "deny everything" so every program needs policy to work but
I don't know for sure. I don't think many people run strict right now
though.
Until binary policy is implemented though I am not sure you can ship
policy in RPMs. It has to be in the central policy as a patch and you can
then mark the files with the right contexts. You (hopefully) shouldn't
need any custom policy though.
thanks -mike
9:09 a.m.
On Wed, 2005-04-27 at 14:53 +0200, Davide Bolcioni wrote:
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
Nothing quite fits the bill as you describe it, but nonetheless have a
look at the links under 'Documentation' at:
http://selinux.sourceforge.net/resources.php3
In particular:
1) There are some (outdated) HOWTOs on the sourceforge site,
http://sourceforge.net/docman/?group_id=21266
2) There is a RHEL4 SELinux Guide,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
3) There is a NSA technical report,
http://www.nsa.gov/selinux/papers/policy2/t1.html
4) There is a published book,
http://www.oreilly.com/catalog/selinux/
5) There is a course,
http://www.tresys.com/selinux/selinux-course-outline.html
Of course, as others have noted, we don't yet have the infrastructure in
place for distributing package policies effectively. Binary policy
module support should be in FC5 (not FC4).
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
9:33 a.m.
Mike Hearn wrote:
You can review their sources.
I meant programmatically but never mind, I got the message that we're not
quite there yet.
OK. What exactly broke your app? Targetted isn't supposed to
interfere
with most programs (except that sometimes that doesn't seem to be the
case, I'm still researching this too!). So you should be able to ignore
that. It may be that the shlib_textrel_t thing got you, so far that's the
only part of targetted I know about which isn't actually backwards
compatible.
The app is a Web application which includes a proprietary CGI executable,
but in the targeted policy only appropriately-labeled CGI get run.
Having the CGI not sit in cgi-bin probably adds to the pain, I guess. I
found out how to disable SELinux protection for Apache, but that kind of
defeats the purpose and does not help customer relationships.
Until binary policy is implemented though I am not sure you can ship
policy in RPMs. It has to be in the central policy as a patch and you can
then mark the files with the right contexts. You (hopefully) shouldn't
need any custom policy though.
Another message suggested that FC5 is likely to be the target for the
stuff I am grasping at.
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
10:54 a.m.
This string of messages brings up something I wanted to get a
conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in
the future. ( I think the future is now.)
I see three people providing policy.
1. OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy
of the running service would be loaded. If we got to this state we
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy.
2. Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question
how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
3 Local User customization and minor policies. Currently we have people
using audit2allow creating files in domains/misc and then
reloading policy. We need a mechanism for users to be able to do this
without recompiling policy. Also more significantly how
do we handle the small diffed apache_domain stuff. A couple of months
ago I redesigned apache policy to have a macro called
apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts
working without turning off apache protection or running their script in
httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and
muck around. I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily
build their own custom policy.
Anyways I think we need more discussion on handling third party and user
customization of policy outside of the current make tree stuff.
Dan
Dan
--
12:32 p.m.
El jue, 28-04-2005 a las 11:54 -0400, Daniel J Walsh escribió:
The problem is the only way to do this is to install policy sources
and
muck around. I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily
build their own custom policy.
Anyways I think we need more discussion on handling third party and user
customization of policy outside of the current make tree stuff.
I've been thinking on it when working on the SELinux deployment within
Ubuntu Linux, and binary policies are something pretty handy for binary
packages-based distributions, among the general benefit they provide.
I might be able to work on something, but I would like to know first how
many people is interested in this and how many of them would be able to
contribute to it in the long term.
The idea I thought about is something like the one shown in the diagram
at
http://pearls.tuxedo-es.org/selinux/diagrams/selinux-binary-policies-1.png
Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo(a)gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
12:51 p.m.
On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro
wrote:
I've been thinking on it when working on the SELinux deployment
within
Ubuntu Linux, and binary policies are something pretty handy for binary
packages-based distributions, among the general benefit they provide.
I might be able to work on something, but I would like to know first how
many people is interested in this and how many of them would be able to
contribute to it in the long term.
Tresys Technology already has a working implementation of binary policy
modules, including a module abstraction with a dependency model, a
compiler for generating such modules, and a linker for linking them
together with a "base module". Planned for upstreaming after FC4. See
their prior posts to the selinux list or their web site for info.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
3:29 p.m.
-----Original Message-----
From: owner-selinux(a)tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Daniel J Walsh
Sent: Thursday, April 28, 2005 11:55 AM
To: Davide Bolcioni
Cc: fedora-selinux-list(a)redhat.com; SELinux
Subject: Re: Is there a SELinux tutorial for ISVs ?
This string of messages brings up something I wanted to get a
conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in
the future. ( I think the future is now.)
I see three people providing policy.
1. OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy
of the running service would be loaded. If we got to this state we
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy.
In the binary policy work, the base is simply a binary module that is fully
self-contained to guarantee that there will be an internally consistent /
coherent policy at all times. That policy can be arbitrarily small, however.
As for only enabling policy for certain services I see three options:
1) Policy for all services is always loaded (current practice).
2) Policy for services that are installed is always loaded.
3) Policy for services that are installed is loaded on service start.
1 is obviously problematic because of wasted resources and privileged
application domains being present when they should not be (not to mention 3rd
party policy). We considered 3 when we started the binary module work, but
decided that it was too complicated with little benefit. Additionally, I think
that it is _very_ desirable to limit relabeling as much as possible. It is error
prone and risky in terms of security.
2 is what we are targeting. The installation of a new service in the model I am
proposing would
1) Install the binary policy module to a place on the filesystem managed by RPM
(for example /etc/selinux/policy-name/installed-modules).
2) Load the policy by installing it with semodule (semodule -i policy.pp - .pp
is for policy package which is the binary policy and file contexts). This will
install the module into a managed location (for example
/etc/selinux/policy-name/active-modules) and load it into the kernel.
3) RPM would then label files as it installs the application.
The binary module infrastructure also always creates a complete file_context
like the current system, so that can be used for whatever labeling needs to be
done.
2. Third Party application developers. As the use of targeted
policy
has begun to take off, Third Party ISV have started to question
how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
That is the plan - we are porting the recent changes to
libsepol/libselinux/checkpolicy to our tree and will start upstreaming the
binary policy work soon. I am targeting getting this integrated by June.
3 Local User customization and minor policies. Currently we have
people
using audit2allow creating files in domains/misc and then
reloading policy. We need a mechanism for users to be able to do this
without recompiling policy. Also more significantly how
do we handle the small diffed apache_domain stuff. A couple of months
ago I redesigned apache policy to have a macro called
apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts
working without turning off apache protection or running their script in
httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and
muck around. I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily
build their own custom policy.
We are actively working on what we are calling reference policy. This attempts
to create just such a 'shared library' mechanism among other goals. On the
source level it creates abstractions in the form of layers and modules. Each
module, which contains the policy for a well-defined functional area, exports a
set of interfaces - macros that allow access to its resources.
I have attached a presentation that we recently did on this project, which may
give you an idea of what we are trying to accomplish. I will get this on our web
page soon. Also, we are starting a sourceforge project for this that will be up
soon. We are making rapid progress on this and can release the policies that we
have done so far when the project set up. If anyone would like to see what we
have let me know and I will get you a tarball off list.
I think that the next step is to add the interface idea to the underlying binary
module language so that external policies can start being dependent not on types
but interfaces. If these stabilize enough it should be possible to write to this
abstraction layer and have a single binary module work across many base
policies.
Anyways I think we need more discussion on handling third party and user
customization of policy outside of the current make tree stuff.
I agree. We are trying to tackle these problems, but need input about exactly
what people need.
---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134
Dan
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo(a)tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
3:38 p.m.
-----Original Message-----
From: owner-selinux(a)tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Stephen Smalley
Sent: Thursday, April 28, 2005 1:52 PM
To: Lorenzo Hernández García-Hierro
Cc: Daniel J Walsh; Davide Bolcioni; fedora-selinux-list(a)redhat.com; SELinux
Subject: Re: Is there a SELinux tutorial for ISVs ?
On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro
wrote:
> I've been thinking on it when working on the SELinux deployment within
> Ubuntu Linux, and binary policies are something pretty handy for binary
> packages-based distributions, among the general benefit they provide.
>
> I might be able to work on something, but I would like to know first how
> many people is interested in this and how many of them would be able to
> contribute to it in the long term.
Tresys Technology already has a working implementation of binary policy
modules, including a module abstraction with a dependency model, a
compiler for generating such modules, and a linker for linking them
together with a "base module". Planned for upstreaming after FC4. See
their prior posts to the selinux list or their web site for info.
This and the reference policy work I just mentioned in another email. As we work
on upstreaming the binary modules we are going to need feedback / testing - if
you are interested in this area I would greatly appreciate any help you can
give.
Thanks,
Karl
---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo(a)tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
8:02 a.m.
-----Original Message-----
From: owner-selinux(a)tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Daniel J Walsh
Sent: Thursday, April 28, 2005 11:55 AM
To: Davide Bolcioni
Cc: fedora-selinux-list(a)redhat.com; SELinux
Subject: Re: Is there a SELinux tutorial for ISVs ?
This string of messages brings up something I wanted to get a
conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in
the future. ( I think the future is now.) I see three people
providing policy.
1. OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy of the
running service would be loaded. If we got to this state we would
need a new mechanism for restoring file context since file_context
might not meet the currently loaded policy.
In the binary policy work, the base is simply a binary module that is fully
self-contained to guarantee that there will be an internally consistent /
coherent policy at all times. That policy can be arbitrarily small, however.
As for only enabling policy for certain services I see three options:
1) Policy for all services is always loaded (current practice).
2) Policy for services that are installed is always loaded.
3) Policy for services that are installed is loaded on service start.
1 is obviously problematic because of wasted resources and privileged
application domains being present when they should not be (not to mention 3rd
party policy). We considered 3 when we started the binary module work, but
decided that it was too complicated with little benefit. Additionally, I think
that it is _very_ desirable to limit relabeling as much as possible. It is error
prone and risky in terms of security.
2 is what we are targeting. The installation of a new service in the model I am
proposing would
1) Install the binary policy module to a place on the filesystem managed by RPM
(for example /etc/selinux/policy-name/installed-modules).
2) Load the policy by installing it with semodule (semodule -i policy.pp - .pp
is for policy package which is the binary policy and file contexts). This will
install the module into a managed location (for example
/etc/selinux/policy-name/active-modules) and load it into the kernel.
3) RPM would then label files as it installs the application.
The binary module infrastructure also always creates a complete file_context
like the current system, so that can be used for whatever labeling needs to be
done.
2. Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question how
they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
That is the plan - we are porting the recent changes to
libsepol/libselinux/checkpolicy to our tree and will start upstreaming the
binary policy work soon. I am targeting getting this integrated by June.
3 Local User customization and minor policies. Currently we have
people using audit2allow creating files in domains/misc and then
reloading policy. We need a mechanism for users to be able to do this
without recompiling policy. Also more significantly how
do we handle the small diffed apache_domain stuff. A couple of months
ago I redesigned apache policy to have a macro called apache_domain.
A user could create a new apache_XYZ.te file with
apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts
working without turning off apache protection or running their script
in httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and
muck around. I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily
build their own custom policy.
We are actively working on what we are calling reference policy. This attempts
to create just such a 'shared library' mechanism among other goals. On the
source level it creates abstractions in the form of layers and modules. Each
module, which contains the policy for a well-defined functional area, exports a
set of interfaces - macros that allow access to its resources.
There is a presentation that we did on this work available at
http://tresys.com/Downloads/selinux_dev/reference-policy.pdf, which may give you
an idea of what we are trying to accomplish. Also, we are starting a sourceforge
project for this that will be up soon. We are making rapid progress on this and
can release the policies that we have done so far when the project set up. If
anyone would like to see what we have let me know and I will get you a tarball
off list.
I think that the next step is to add the interface idea to the underlying binary
module language so that external policies can start being dependent not on types
but interfaces. If these stabilize enough it should be possible to write to this
abstraction layer and have a single binary module work across many base
policies.
Anyways I think we need more discussion on handling third party and
user customization of policy outside of the current make tree stuff.
I agree. We are trying to tackle these problems, but need input about exactly
what people need.
---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134
Dan
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to
majordomo(a)tycho.nsa.gov with the words "unsubscribe selinux" without quotes as
the message.
7:20 a.m.
On Thu, 28 Apr 2005 11:54:30 -0400, Daniel J Walsh wrote:
Anyways I think we need more discussion on handling third party and
user
customization of policy outside of the current make tree stuff.
Sorry for posting so late ... one thing I'd also like to see is some
formal rules for policy compatibility. For instance, if FC4 ships and says
"Shared libraries with text relocations are no longer allowed by default"
then this breaks things. If FC5 ships and now you need special tagging to
connect to the X server, well ....
(I don't know if this has actually happened or not yet but it seems to
keep coming up)
It may be decided that it's an acceptable price to pay for the additional
security, or it may not. I don't think that discussion should happen
now. But I think ISVs would feel a lot more secure if this sort of
decision appeared not to be arbitrary and if there was some way to plan
and work with the OS base policy writers.
A basic system could be to have widely adopted (cross-distro) and
documented security levels, ie:
Level 1: Basic targetted - optin, only affects daemons, no restrictions
on anything else
Level 2: Targetted + additional restrictions, execshield enabled (ie
this is not just an SELinux thing), apps which require special
privs must have custom policy
Level 3: Strict
or something similar to that. This means users can adjust their security
level to adapt to what programs they run, and ISVs can say "Minimum
Requirements: Level 2 or lower security level".
thanks -mike
10:32 a.m.
Mike Hearn wrote:
On Thu, 28 Apr 2005 11:54:30 -0400, Daniel J Walsh wrote:
>Anyways I think we need more discussion on handling third party and user
>customization of policy outside of the current make tree stuff.
>
>
Sorry for posting so late ... one thing I'd also like to see is some
formal rules for policy compatibility. For instance, if FC4 ships and says
"Shared libraries with text relocations are no longer allowed by default"
then this breaks things. If FC5 ships and now you need special tagging to
connect to the X server, well ....
The goal is to not change the fundamental securitylevel on policy/kernel
updates. If it does there
is a bug in policy. Now we will be adding additional booleans in order
to allow users to increase
the securitylevel. So if a kernel gets added to a shipping OS
(FC3/RHEL4) that supports an additional
access check, we need to allow this by default. Same goes with adding
additional policy rules. For
example, I am trying to update the FC3/RHEL4 targeted policy with the
improvements made in rawhide.
Any new booleans need to default to true.
(I don't know if this has actually happened or not yet but it
seems to
keep coming up)
It may be decided that it's an acceptable price to pay for the additional
security, or it may not. I don't think that discussion should happen
now. But I think ISVs would feel a lot more secure if this sort of
decision appeared not to be arbitrary and if there was some way to plan
and work with the OS base policy writers.
A basic system could be to have widely adopted (cross-distro) and
documented security levels, ie:
Level 1: Basic targetted - optin, only affects daemons, no restrictions
on anything else
Level 2: Targetted + additional restrictions, execshield enabled (ie
this is not just an SELinux thing), apps which require special
privs must have custom policy
This is what booleans are for.
Level 3: Strict
or something similar to that. This means users can adjust their security
level to adapt to what programs they run, and ISVs can say "Minimum
Requirements: Level 2 or lower security level".
thanks -mike
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
11:25 a.m.
On Mon, 2005-05-09 at 11:32 -0400, Daniel J Walsh wrote:
The goal is to not change the fundamental securitylevel on
policy/kernel updates [ ... ] Any new booleans need to default to
true.
Hmm, so if I understand correctly then it's actually very possible that
updates/new distro versions will be shipped that deny things that were
previously allowed by default, as long as there is a boolean to switch
them off?
That sounds like by default every time you upgrade, programs might
break. There must be a better way to deal with this.
This is what booleans are for.
Booleans are just an implementation mechanism, what is needed is some
simple (end-user understandable) means for ISVs to communicate what
permissions their software needs - possibly for old versions of their
software that don't work with new policy.
Usability-wise it's not OK to put:
"This software requires that the SELinux 'foo', 'bar', 'xyz'
booleans be
set to false".
This is asking too much of the user, especially as there should ideally
be some easy way to apply more relaxed policy to an individual program
if it can't cope with the system defaults. Booleans for individual
programs is just too complicated.
I suggested a level system because (I think) it's reasonable to expect
end users to deal with statements like "This program cannot run with
security level 3 or higher". Whereas it's not reasonable to expect
people to be able to adjust things at a finer level of detail than that.
thanks -mike
12:19 p.m.
Mike Hearn wrote:
On Mon, 2005-05-09 at 11:32 -0400, Daniel J Walsh wrote:
>The goal is to not change the fundamental securitylevel on
>policy/kernel updates [ ... ] Any new booleans need to default to
>true.
>
>
Hmm, so if I understand correctly then it's actually very possible that
updates/new distro versions will be shipped that deny things that were
previously allowed by default, as long as there is a boolean to switch
them off?
That sounds like by default every time you upgrade, programs might
break. There must be a better way to deal with this.
>This is what booleans are for.
>
>
Booleans are just an implementation mechanism, what is needed is some
simple (end-user understandable) means for ISVs to communicate what
permissions their software needs - possibly for old versions of their
software that don't work with new policy.
No. If you update policy or kernel or any other componant of SELinux,
things should
work as they did before. Anything that breaks is a bug.
Usability-wise it's not OK to put:
"This software requires that the SELinux 'foo', 'bar', 'xyz'
booleans be
set to false".
We attempt to set a reasonable relaxness around the policy. So most
booleans are set to allow users full access.
Advanced users may want to turn up the security. So if a user wants to
be able to turn off apache's ability to run
cgi scripts. They can set httpd_enable_cgi=0. The default will be
allow cgi scripts.
This is asking too much of the user, especially as there should
ideally
be some easy way to apply more relaxed policy to an individual program
if it can't cope with the system defaults. Booleans for individual
programs is just too complicated.
Agreed, that is why we ship with a relaxed policy where reasonable.
I suggested a level system because (I think) it's reasonable to
expect
end users to deal with statements like "This program cannot run with
security level 3 or higher". Whereas it's not reasonable to expect
people to be able to adjust things at a finer level of detail than that.
thanks -mike
--
2:38 p.m.
On Mon, 09 May 2005 17:25:53 BST, Mike Hearn said:
Hmm, so if I understand correctly then it's actually very
possible that
updates/new distro versions will be shipped that deny things that were
previously allowed by default, as long as there is a boolean to switch
them off?
That sounds like by default every time you upgrade, programs might
break. There must be a better way to deal with this.
Hey. At least we're giving them a boolean. There's lots of stuff that
gets ripped out and breaks stuff (see Documentation/feature-removal-schedule.txt
for what's currently on the chopping block.
Try installing a recent RedHat system without udev - that requires more work
than just a boolean to work around. ;)
6927
days inactive
6939
days old
selinux@lists.fedoraproject.org
18 comments
8 participants
participants (8)
-
Daniel J Walsh -
Davide Bolcioni -
Davide Bolcioni -
Karl MacMillan -
Lorenzo Hernández García-Hierro -
Mike Hearn -
Stephen Smalley -
Valdis.Kletnieks@vt.edu