Re: SELinux Dumb Questions

Re: SELinux Dumb Questions

[Admissions Office]

Folks this may seem like a dumb question given the Open Source and postings
on the site. Its just that we want to be sure....

Is there any reason why a Colo company cannot offer SELinux as a standard
product offering they would install on clients servers?

That's all. I try to limit my dumb questions.

Ian McBeth
Sys Admin


----- Original Message -----
From: "Carsten Grohmann" <carsten.grohmann@dr-baldeweg.de>
To: <jw@centraltexasit.com>; <selinux@tycho.nsa.gov>
Sent: Monday, June 03, 2002 04:23
Subject: Re: SE-Linux on SuSE


> Hi Jonathan!
>
> I've install SE-Linux on SuSE (7.1). It is easy to install. You should
> run it a few days in the permissive mode to add a few new rules e.g. to
> add the blogd to the initrc domain. And you should remove a lot of cron
> jobs, if you like or you write rules for this jobs. And the mingettys,
> but SE-Linux works fine on SuSE too.
>
> Carsten
>
> JW schrieb:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> > I am interested in running SE-Linux on SuSE.
> >
> > I'd appreciate hearing from anyone who's tried it.
> >
> > Esp. how hard/easy it was to install/configure, anything special you had
to do to get it working, and what you like/dislike about it now that you
have it working.
> >
> > Thanks.
> > - --
> >
> > - ----------------------------------------------------
> > Jonathan Wilson
> > System Administrator
> > Cedar Creek Software     http://www.cedarcreeksoftware.com
>
> --
> You have received this message because you are subscribed to the selinux
list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux Dumb Questions

[Westerman, Mark]

None

> -----Original Message-----
> From: Admissions Office [mailto:admissions@internet.edu.nf]
> Sent: Monday, June 03, 2002 9:51 AM
> To: Carsten Grohmann; jw@centraltexasit.com; selinux@tycho.nsa.gov
> Subject: Re: SELinux Dumb Questions
> 
> 
> Folks this may seem like a dumb question given the Open 
> Source and postings
> on the site. Its just that we want to be sure....
> 
> Is there any reason why a Colo company cannot offer SELinux 
> as a standard
> product offering they would install on clients servers?
> 
> That's all. I try to limit my dumb questions.
> 
> Ian McBeth
> Sys Admin
> 
> 
> ----- Original Message -----
> From: "Carsten Grohmann" <carsten.grohmann@dr-baldeweg.de>
> To: <jw@centraltexasit.com>; <selinux@tycho.nsa.gov>
> Sent: Monday, June 03, 2002 04:23
> Subject: Re: SE-Linux on SuSE
> 
> 
> > Hi Jonathan!
> >
> > I've install SE-Linux on SuSE (7.1). It is easy to install. 
> You should
> > run it a few days in the permissive mode to add a few new 
> rules e.g. to
> > add the blogd to the initrc domain. And you should remove a 
> lot of cron
> > jobs, if you like or you write rules for this jobs. And the 
> mingettys,
> > but SE-Linux works fine on SuSE too.
> >
> > Carsten
> >
> > JW schrieb:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Hello,
> > >
> > > I am interested in running SE-Linux on SuSE.
> > >
> > > I'd appreciate hearing from anyone who's tried it.
> > >
> > > Esp. how hard/easy it was to install/configure, anything 
> special you had
> to do to get it working, and what you like/dislike about it 
> now that you
> have it working.
> > >
> > > Thanks.
> > > - --
> > >
> > > - ----------------------------------------------------
> > > Jonathan Wilson
> > > System Administrator
> > > Cedar Creek Software     http://www.cedarcreeksoftware.com
> >
> > --
> > You have received this message because you are subscribed 
> to the selinux
> list.
> > If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov
> with
> > the words "unsubscribe selinux" without quotes as the message.
> >
> 
> 
> --
> You have received this message because you are subscribed to 
> the selinux list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Admissions Office]

Thanks to All. We would not says SELinux offered by the NSA !  People have
really been asking about it once we tell them such a thing exists. Many are
just interested so we point them to the site. Our mission would be to start
providing support to clients who ask for it.

Again, thanks to all...


----- Original Message -----
From: "Westerman, Mark" <Mark.Westerman@csoconline.com>
To: "'Admissions Office'" <admissions@internet.edu.nf>;
<selinux@tycho.nsa.gov>
Sent: Monday, June 03, 2002 09:00
Subject: RE: SELinux Dumb Questions


> None
>
> > -----Original Message-----
> > From: Admissions Office [mailto:admissions@internet.edu.nf]
> > Sent: Monday, June 03, 2002 9:51 AM
> > To: Carsten Grohmann; jw@centraltexasit.com; selinux@tycho.nsa.gov
> > Subject: Re: SELinux Dumb Questions
> >
> >
> > Folks this may seem like a dumb question given the Open
> > Source and postings
> > on the site. Its just that we want to be sure....
> >
> > Is there any reason why a Colo company cannot offer SELinux
> > as a standard
> > product offering they would install on clients servers?
> >
> > That's all. I try to limit my dumb questions.
> >
> > Ian McBeth
> > Sys Admin
> >
> >
> > ----- Original Message -----
> > From: "Carsten Grohmann" <carsten.grohmann@dr-baldeweg.de>
> > To: <jw@centraltexasit.com>; <selinux@tycho.nsa.gov>
> > Sent: Monday, June 03, 2002 04:23
> > Subject: Re: SE-Linux on SuSE
> >
> >
> > > Hi Jonathan!
> > >
> > > I've install SE-Linux on SuSE (7.1). It is easy to install.
> > You should
> > > run it a few days in the permissive mode to add a few new
> > rules e.g. to
> > > add the blogd to the initrc domain. And you should remove a
> > lot of cron
> > > jobs, if you like or you write rules for this jobs. And the
> > mingettys,
> > > but SE-Linux works fine on SuSE too.
> > >
> > > Carsten
> > >
> > > JW schrieb:
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > Hello,
> > > >
> > > > I am interested in running SE-Linux on SuSE.
> > > >
> > > > I'd appreciate hearing from anyone who's tried it.
> > > >
> > > > Esp. how hard/easy it was to install/configure, anything
> > special you had
> > to do to get it working, and what you like/dislike about it
> > now that you
> > have it working.
> > > >
> > > > Thanks.
> > > > - --
> > > >
> > > > - ----------------------------------------------------
> > > > Jonathan Wilson
> > > > System Administrator
> > > > Cedar Creek Software     http://www.cedarcreeksoftware.com
> > >
> > > --
> > > You have received this message because you are subscribed
> > to the selinux
> > list.
> > > If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov
> > with
> > > the words "unsubscribe selinux" without quotes as the message.
> > >
> >
> >
> > --
> > You have received this message because you are subscribed to
> > the selinux list.
> > If you no longer wish to subscribe, send mail to
> > majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> >
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Russell Coker]

On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> Folks this may seem like a dumb question given the Open Source and postings
> on the site. Its just that we want to be sure....
>
> Is there any reason why a Colo company cannot offer SELinux as a standard
> product offering they would install on clients servers?

As Mark stated there are no license or legal issues preventing such use.

In fact SE Linux is very desirable as an option for a hosting company as it 
allows safer sharing of recources.  I believe that the requirements that JW 
plans to solve with SE Linux are along the lines of partitioning a server for 
several users (who don't necessarily trust each other and aren't trusted by 
the administrator) to bind to ports <1024.

Of course as a practical measure you probably want to offer a non-SE service 
too, people get paranoid when the NSA is mentioned and some customers will 
probably pay extra to have a dedicated server without NSA software rather 
than a shared server with the NSA software...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[JW]

> On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > Folks this may seem like a dumb question given the Open Source and
> > postings on the site. Its just that we want to be sure....
> >
> > Is there any reason why a Colo company cannot offer SELinux as a standard
> > product offering they would install on clients servers?

> As Mark stated there are no license or legal issues preventing such use.


On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> SELinux includes Type Enforcement technology developed and patented by the
> Secure Computing Corporation, who still holds rights to all commercial use
> of the technology.  Before a colo company, or anyone else uses the
> technology commercially, it will be necessary to negotiate a license with
> Secure Computing.  If anyone wants to do so, I can help get the ball
> rolling with our Legal and BD folks.
>
> --Tom
>
> Dr. Tom Haigh, CTO
> Secure Computing Corp.
> 2675 Long Lake Road
> Roseville, MN 55113
>
> 651-628-2738 (V)
> 651-628-2701 (F)
>
> haigh@securecomputing.com
>
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Russell Coker]

On Tue, 4 Jun 2002 23:30, JW wrote:
> > On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > > Folks this may seem like a dumb question given the Open Source and
> > > postings on the site. Its just that we want to be sure....
> > >
> > > Is there any reason why a Colo company cannot offer SELinux as a
> > > standard product offering they would install on clients servers?
> >
> > As Mark stated there are no license or legal issues preventing such use.
>
> On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> > SELinux includes Type Enforcement technology developed and patented by
> > the Secure Computing Corporation, who still holds rights to all
> > commercial use of the technology.  Before a colo company, or anyone else
> > uses the technology commercially, it will be necessary to negotiate a
> > license with Secure Computing.  If anyone wants to do so, I can help get
> > the ball rolling with our Legal and BD folks.

Let's look at the following URL:
http://www.securecomputing.com/archive/press/2000/nsa_faq_secure_linux.html

> Question 6: Will SCC use its patent on Type Enforcement TM to restrict use,
> future development, derivative work, or release of the source code of the
> system? 
>
> There will be no restrictions on the use of TE by the Linux open source
> community. We believe that leveraging the resources of the Linux community
> is the best way to develop robust security for Linux.

That seems like a clear statement that we can do what we like with it!

But Tom, if your company does want to go ahead with this patent plan then 
please do the following:

1)  Change that misleading web page.

2)  Let me know so I can remove all SE Linux code from Debian, remove it from 
my client's machines, and start work on a competing product.

3)  Make formal statements as to limitations of distribution etc, also 
clarify to what extent you want SE Linux code removed from the world.  Should 
I get the upstream maintainer of stat to remove the SE Linux code too?  Also 
you'll have to get it removed from LSM which is under the GPL, and you had 
better hope that the problems with building as a module are fixed quickly - 
you can't ship code that links with the kernel unless it's under the GPL.

PS  When does the patent expire?  If it's due to expire in 1 year or less we 
can just wait until it's gone...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux Dumb Questions

[Roland.Jones]

Russell,

Your comments and clarifications are most enlightening and reflect my under standing of SELinux's use as open source code. I find this issue of private licensing confusing since I thought the whole idea was to get this technology into the community. The NSA's SELinux overview says the following at the end of the page:

		Security-enhanced Linux is being released under the same terms and conditions as the original 			sources. The release includes documentation and source code for both the system and some 			system utilities that were modified to make use of the new features. Participation with comments, 			constructive criticism, and/or improvements is welcome. 

It doesn't seem to me that NSA's intention was to restrict the deployment of this technology when they released SELinux. Any NSA types out there?


Roland


-----Original Message-----
From: ext Russell Coker [mailto:russell@coker.com.au]
Sent: Tuesday, June 04, 2002 3:00 PM
To: jw@centraltexasit.com; selinux@tycho.nsa.gov
Cc: Haigh, Tom; 'Admissions Office'; Carsten Grohmann;
linux-security-module@wirex.com
Subject: Re: SELinux Dumb Questions


On Tue, 4 Jun 2002 23:30, JW wrote:
> > On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > > Folks this may seem like a dumb question given the Open Source and
> > > postings on the site. Its just that we want to be sure....
> > >
> > > Is there any reason why a Colo company cannot offer SELinux as a
> > > standard product offering they would install on clients servers?
> >
> > As Mark stated there are no license or legal issues preventing such use.
>
> On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> > SELinux includes Type Enforcement technology developed and patented by
> > the Secure Computing Corporation, who still holds rights to all
> > commercial use of the technology.  Before a colo company, or anyone else
> > uses the technology commercially, it will be necessary to negotiate a
> > license with Secure Computing.  If anyone wants to do so, I can help get
> > the ball rolling with our Legal and BD folks.

Let's look at the following URL:
http://www.securecomputing.com/archive/press/2000/nsa_faq_secure_linux.html

> Question 6: Will SCC use its patent on Type Enforcement TM to restrict use,
> future development, derivative work, or release of the source code of the
> system? 
>
> There will be no restrictions on the use of TE by the Linux open source
> community. We believe that leveraging the resources of the Linux community
> is the best way to develop robust security for Linux.

That seems like a clear statement that we can do what we like with it!

But Tom, if your company does want to go ahead with this patent plan then 
please do the following:

1)  Change that misleading web page.

2)  Let me know so I can remove all SE Linux code from Debian, remove it from 
my client's machines, and start work on a competing product.

3)  Make formal statements as to limitations of distribution etc, also 
clarify to what extent you want SE Linux code removed from the world.  Should 
I get the upstream maintainer of stat to remove the SE Linux code too?  Also 
you'll have to get it removed from LSM which is under the GPL, and you had 
better hope that the problems with building as a module are fixed quickly - 
you can't ship code that links with the kernel unless it's under the GPL.

PS  When does the patent expire?  If it's due to expire in 1 year or less we 
can just wait until it's gone...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Dale Amon]

On Tue, Jun 04, 2002 at 11:59:46PM +0200, Russell Coker wrote:
> > On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> > > SELinux includes Type Enforcement technology developed and patented by
> > > the Secure Computing Corporation, who still holds rights to all
> > > commercial use of the technology.  Before a colo company, or anyone else
> > > uses the technology commercially, it will be necessary to negotiate a
> > > license with Secure Computing.  If anyone wants to do so, I can help get
> > > the ball rolling with our Legal and BD folks.
> 
> PS  When does the patent expire?  If it's due to expire in 1 year or less we 
> can just wait until it's gone...

I agree with Russell. This really had better be clarified. I believe it
is the intent of many on this list, myself included, to productize
systems based on SELinux.

It's either GPL or it ain't. Which is it? Do I drop my plans or continue?

PS: For my purposes, the BSD license will do just as well.




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Admissions Office]

Sorry - I did not mean to cause a storm..... Before we know it the CIA will
ask for Inter-agency cooperation :-)

Serious - My firneds and yes colo clients ask if we will "help" them install
and or maintain this OS. Its said, the Open GL Ec so what a dummy.  I just
asked.  Please - develop, forget me.  We can and will work this out. The
world has bigger problems.

Joop Cousteau


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux Dumb Questions

[Ed Street]

Hello,

Hey I'm all for any open structure that could meet c2 or better security
guidelines.  I believe that selinux comes closer than anything else on
the market.  I also believe that if the NSA or any other group wishes to
mangle/modify/add/remove/etc code from other vendors to meet those
guidelines then it's their right (baring copyright infringment and close
source)  I also think a lot of people can benefit greatly from this
project and I would really hate to see some greedy company attempt to
snuff the project into their folds.

However after reviewing all the previous emails I have put all my
selinux projects on hold untill I find out where this is going.  Just
remember people, if security was illegal only criminals would have
security.

Ed


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.