lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 27 Dec 2006 23:12:51 +0100
From:	Karel Zak <kzak@...hat.com>
To:	Theodore Tso <tytso@....edu>, Arnd Bergmann <arnd@...db.de>,
	linux-kernel@...r.kernel.org, Henne Vogelsang <hvogel@...e.de>,
	Olaf Hering <olh@...e.de>, "H. Peter Anvin" <hpa@...or.com>
Subject: Re: util-linux: orphan

On Wed, Dec 27, 2006 at 03:42:13PM -0500, Theodore Tso wrote:
> On Wed, Dec 27, 2006 at 08:18:24PM +0100, Karel Zak wrote:
> >  Frankly, it wasn't always easy to use SeLinux in previous FC
> >  releases, but there is huge progress and I think it's much better in
> >  FC6.
> 
> I've never tried SELinux, but at one point there were all sorts of
> horror stories that if you enabled SELinux, the moment you installed
> any 3rd party software packages, whether it's Oracle or Websphere or
> some other commercial application program, the application would break
> because of all sorts of SELinux policy violations, and that it
> required an SELinux wizard to configure SELinux policy to enable a 3rd
> party application to actually work correctly.  Given that I tried
> enabling SELinux, witnessed things break spectacularly and with no
> hints about how to fix things, I've always had the attitude of "life
> is too short to enable SELinux", and so my limited experience is

 The level of security is always your choice. The real security is
 pretty expensive and you have to invest your time to make your system
 really safe. IMHO people who provides simple and cheap solutions are
 liars or marketing-agents or both.

 For example for my laptop is it true that "life is too short to
 enable SELinux", but it's probably not true for servers in the bank where
 I have money. (I hope so:-)

> consistent with all of the horror stories that I've heard.
>
> It sounds like SELinux has gotten better, according to your

 I'm really occasional selinux enduser only. So don't ask me for
 details.

> description.  Will handle arbitrary 3rd party software without running
> wild, or is it still the case that the moment you want anything other
> than software that was shipped with the distribution, it's "abandon
> all hope, all ye who enter here"?

 There is possible customization of the existing selinux policy. You
 can generate a new loadable policy module from system audit logs (see
 audit2allow util). In the other words -- your system in the permissive
 mode is monitoring your 3rd party software and from the logs you can
 generate new selinux rules. And when you switch system to the
 enforcing mode the application should be run as expected with your
 new rules.

    Karel 

-- 
 Karel Zak  <kzak@...hat.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ