modifying utilities to use libselinux

modifying utilities to use libselinux

[Debian User]

is it wise to modify utiliies to use libsecure? what kind of utilities 
besides login and ssh should use libsecure? how about screen? I had a 
big problem making it work in selinux. 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: modifying utilities to use libselinux

[Ed Street]

Hello,

I am going to assume you are using potato :)  Perhaps the best thing to
do, if this assumption is true, is go update to woody and use mr coker's
woody deb's located at http://www.coker.com.au/selinux/  you'll need to
do a kernel reconfiguration as well with the kernel-lsm patch

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Debian User
Sent: Thursday, June 27, 2002 2:28 AM
To: selinux@tycho.nsa.gov
Subject: modifying utilities to use libselinux

is it wise to modify utiliies to use libsecure? what kind of utilities 
besides login and ssh should use libsecure? how about screen? I had a 
big problem making it work in selinux. 


--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modifying utilities to use libselinux

[Debian User]

No im using woody. Im playing with busybox and I wonder what should be 
done to make it work with selinux.

Ed Street wrote:

>Hello,
>
>I am going to assume you are using potato :)  Perhaps the best thing to
>do, if this assumption is true, is go update to woody and use mr coker's
>woody deb's located at http://www.coker.com.au/selinux/  you'll need to
>do a kernel reconfiguration as well with the kernel-lsm patch
>
>Ed
>
>-----Original Message-----
>From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
>On Behalf Of Debian User
>Sent: Thursday, June 27, 2002 2:28 AM
>To: selinux@tycho.nsa.gov
>Subject: modifying utilities to use libselinux
>
>is it wise to modify utiliies to use libsecure? what kind of utilities 
>besides login and ssh should use libsecure? how about screen? I had a 
>big problem making it work in selinux. 
>
>
>--
>You have received this message because you are subscribed to the selinux
>list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>with
>the words "unsubscribe selinux" without quotes as the message.
>  
>




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: modifying utilities to use libselinux

[Ed Street]

Hello,

Well your in luck if your using woody.  I would urge you to grab the
debs from cokers url http://www.coker.com.au/selinux/  there's some
decent docs on how to install it.  I can attest that it is a very simple
painless install. (assuming kernel config/compile is a somewhat simple
matter for you)

Ed

-----Original Message-----
From: Debian User [mailto:rogelio@evoworks.evoserve.com] 
Sent: Thursday, June 27, 2002 8:36 AM
To: blacknet@simplyaquatics.com
Cc: selinux@tycho.nsa.gov
Subject: Re: modifying utilities to use libselinux

No im using woody. Im playing with busybox and I wonder what should be 
done to make it work with selinux.

Ed Street wrote:

>Hello,
>
>I am going to assume you are using potato :)  Perhaps the best thing to
>do, if this assumption is true, is go update to woody and use mr
coker's
>woody deb's located at http://www.coker.com.au/selinux/  you'll need to
>do a kernel reconfiguration as well with the kernel-lsm patch
>
>Ed
>
>-----Original Message-----
>From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
>On Behalf Of Debian User
>Sent: Thursday, June 27, 2002 2:28 AM
>To: selinux@tycho.nsa.gov
>Subject: modifying utilities to use libselinux
>
>is it wise to modify utiliies to use libsecure? what kind of utilities 
>besides login and ssh should use libsecure? how about screen? I had a 
>big problem making it work in selinux. 
>
>
>--
>You have received this message because you are subscribed to the
selinux
>list.
>If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov
>with
>the words "unsubscribe selinux" without quotes as the message.
>  
>




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modifying utilities to use libselinux

[Stephen Smalley]

On Thu, 27 Jun 2002, Debian User wrote:

> is it wise to modify utiliies to use libsecure? what kind of utilities
> besides login and ssh should use libsecure? how about screen? I had a
> big problem making it work in selinux.

The modified daemons and the new and modified utilities that are provided
with SELinux are described briefly in the Configuring the SELinux Policy
report (the Security-Aware Applications section).  The login and sshd
modifications are important for initially setting the security
context for user sessions.  You can then typically just use automatic
domain transitions within a user session to change permissions as
necessary as particular programs are executed.  I'm not sure why screen
would require modifications - can you clarify?

You can typically support applications transparently by configuring the
polcy appropriately.  In some cases, you may still choose to modify the
application in order to provide more information to users (e.g. the
modified ps and ls utilities to display contexts) or to better support
fine-grained access control (e.g. the modified logrotate to preserve log
file security contexts when they are rotated).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modifying utilities to use libselinux

[Russell Coker]

On Thu, 27 Jun 2002 09:07, Stephen Smalley wrote:
> On Thu, 27 Jun 2002, Debian User wrote:
> > is it wise to modify utiliies to use libsecure? what kind of utilities
> > besides login and ssh should use libsecure? how about screen? I had a
> > big problem making it work in selinux.
>
> The modified daemons and the new and modified utilities that are provided
> with SELinux are described briefly in the Configuring the SELinux Policy
> report (the Security-Aware Applications section).  The login and sshd
> modifications are important for initially setting the security
> context for user sessions.  You can then typically just use automatic
> domain transitions within a user session to change permissions as
> necessary as particular programs are executed.  I'm not sure why screen
> would require modifications - can you clarify?

Screen runs as SUID root and creates unix domain sockets to allow 
reconnection of processes in a common directory.  The policy needs to change 
to a suitable domain.  I made a quick hack of a screen policy which is in my 
packages, and it seems to work...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.