SELinux and third party installers
Mike Hearn
mike at navi.cx
Tue Jan 4 22:51:40 UTC 2005
On Tue, 04 Jan 2005 15:08:01 -0500, Colin Walters wrote:
>> I'm not keen on this line of thinking: it's the type that means
>> many of my Linux-native games and demos no longer run without lots of
>> hacking about. Is the the benefit of restricting 3rd party binaries
>> that don't opt-in worth the cost?
>
> I don't expect you to do this hacking; I'd expect the vendor to do it.
That works when the vendor is around and keen to give you free bugfix
updates, but often they're not, eg Loki (or if your support period
expired).
> > I tend to see SELinux as a tool to help enhance the security of
> > programs that are explicitly interested in it,
>
> That's what the targeted policy does essentially. But SELinux is
> capable of a lot more than that; e.g. giving the ability to define a
> "webmaster" role with only the access necessary to administer Apache.
Yep, that stuff is very cool. It doesn't affect application compatibility
though so I don't have to worry about it :)
> So it would be good to fix this problem in a generic way so it works in
> targeted and strict. If we can fix enough of these kinds of speedbumps,
> I feel that strict could be usable by a much wider range of people.
Yes that'd be good although my understanding of strict is that programs
without policy won't work, ie third party RPMs created before SELinux,
games from Loki/GarageGames or whatever. Or at least won't work without a
lot of tweaking.
> Mmm. I think the interesting question isn't where the policy binary
> bits are stored (in individual .rpm packages versus one big blob in
> selinux-policy-targeted RPM), but who writes the source.
Right, by "shipping policy with third party programs" I meant they write
their own policy. I seem to remember arguing about this with Russell
before though :)
> I run strict policy (i.e. universally shot-gun style ;)) on my server,
> it works quite well.
Sure but that's a server, which I guess is fairly typical web+mail+ssh+a
few other things, right? When you only run a relatively small set of
programs all provided by a central source it's a lot easier to do that.
I want to see SELinux on desktops, which means working with all the random
software the user has :)
thanks -mike
More information about the selinux
mailing list