Successful install

Successful install

[Conan Callen]

[-- Attachment #1: Type: text/plain, Size: 556 bytes --]

I finished the install this morning, selinux is up and runing. It all seems to be running ok.

The README (Building & Installing) instructions worked great. The only problem I ran into was that I missed step 15 (adding /usr/local/selinux/bin to the path).

I read earlier that selinux had no support for x windows, is this still true with this latest drop? Is anyone working on a secured desktop?

I have installed Bastille (www.bastille-linux.org) and am using the firewall that comes with it. Will this conflict with anything in selinux?

Conan

[-- Attachment #2: Type: text/html, Size: 1291 bytes --]

RE: Successful install

[Westerman, Mark]

[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]

The current version of selinux does support X-Windows, but does not support
a graphice login.
I have ported gdm (gnone display manager) to selinux. When I Finish the
policies files for 
the gdm I will mail the port and policy file to you if you would like.
 
Mark Westerman

-----Original Message-----
From: Conan Callen [mailto:ccallen@windowpane.com]
Sent: Wednesday, August 29, 2001 4:49 PM
To: selinux@tycho.nsa.gov
Subject: Successful install 


I finished the install this morning, selinux is up and runing. It all seems
to be running ok.
 
The README (Building & Installing) instructions worked great. The only
problem I ran into was that I missed step 15 (adding /usr/local/selinux/bin
to the path).
 
I read earlier that selinux had no support for x windows, is this still true
with this latest drop? Is anyone working on a secured desktop?
 
I have installed Bastille ( www.bastille-linux.org
<http://www.bastille-linux.org> ) and am using the firewall that comes with
it. Will this conflict with anything in selinux?
 
Conan


[-- Attachment #2: Type: text/html, Size: 2439 bytes --]

Re: Successful install

[Stephen Smalley]

On Wed, 29 Aug 2001, Conan Callen wrote:

> I finished the install this morning, selinux is up and runing. 
> It all seems to be running ok.

Good.  Be sure to verify that none of your daemons were left in
the initrc_t domain by checking the ps -e --context output.  If
so, then you'll need to define domains for those daemons or disable
them if you don't want to use them.  Also check your /var/log/messages
file for 'avc: denied' messages to see if you need to add any
permissions to the example policy for your particular system.
When you think the policy is ready, you can toggle the system
into enforcing mode with avc_toggle (or rebuild the kernel with
CONFIG_FLASK_DEVELOP undefined).

> I read earlier that selinux had no support for x windows, is this still 
> true with this latest drop? Is anyone working on a secured desktop?

In the example policy released with the new prototype, I commented out
some of the permissions needed by the X server because they are very
dangerous.  See the lines preceded by 'Commented out by default' in
policy/domains/program/xserver.te.  You can uncomment those permissions
if you want, but the consequence is that a bug in the X server can be
catastrophic to the security of your system.  Also, this only allows
you to run X via startx after a normal login - it doesn't deal with
running an X display manager.  Mark Westerman has made some modifications
to gdm for this purpose and put them on the sourceforge site.

The X server really needs to be partitioned up more, so that only
a small section of code needs to be granted these highly sensitive
permissions.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.