http://www.golden-gryphon.com/software/security/selinux.xhtml

http://www.golden-gryphon.com/software/security/selinux.xhtml

[Luke Kenneth Casson Leighton]

manoj, hi,

i am delighted to see the above web page re: selinux.

i notice you mention that there is an effort underway to make
a uml-selinux.

perhaps i should mention that it is utterly trivial to set up
a xen system with a guest domain running pretty much any kind
of kernel - including selinux enabled ones.

people who are not happy about using or waiting for uml-selinux
might want to consider either temporarily or permanently
utilising xen instead.

l.

p.s. xen's a lot damn quicker, too.  quick enough so that you can
seriously consider just doing apt-get update, blah blah.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://www.golden-gryphon.com/software/security/selinux.xhtml

[antoine]

On Thu, 2005-06-09 at 20:20 +0100, Luke Kenneth Casson Leighton wrote:
> manoj, hi,
> 
> i am delighted to see the above web page re: selinux.
Err?
> 
> i notice you mention that there is an effort underway to make
> a uml-selinux.
> 
> perhaps i should mention that it is utterly trivial to set up
> a xen system with a guest domain running pretty much any kind
> of kernel - including selinux enabled ones.
We have been running selinux guest kernels in uml for years, that was
not the issue here, or are you just doing xen advocacy?
The question was about ensuring proper containment of the UML kernel
process *from outside*, with regards to the way uml handles tmpfs (which
it uses as a ram backing store with execute attributes).

> people who are not happy about using or waiting for uml-selinux
> might want to consider either temporarily or permanently
> utilising xen instead.
Running uml-selinux guests is not a problem, and xen is not necessarily
the right approach for everything: the system virtualisation does not
happen at the same os level. Can you control your xen instance from
within a selinux controlled system? (note: I am not talking about
running selinux from within a xen instance)

> l.
> 
> p.s. xen's a lot damn quicker, too.  quick enough so that you can
> seriously consider just doing apt-get update, blah blah.
uml on x86 with the skas3 patch is very fast.
We've been running debian guests (inc apt-get) just fine for years.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://www.golden-gryphon.com/software/security/selinux.xhtml

[Luke Kenneth Casson Leighton]

On Thu, Jun 09, 2005 at 11:42:00PM +0100, antoine wrote:
> On Thu, 2005-06-09 at 20:20 +0100, Luke Kenneth Casson Leighton wrote:
> > manoj, hi,
> > 
> > i am delighted to see the above web page re: selinux.
> Err?

 never seen it before :)

> > 
> > i notice you mention that there is an effort underway to make
> > a uml-selinux.
> > 
> > perhaps i should mention that it is utterly trivial to set up
> > a xen system with a guest domain running pretty much any kind
> > of kernel - including selinux enabled ones.

> We have been running selinux guest kernels in uml for years, that was

 _great_.
 
 hm - the above page gives the impression that it hasn't been:

	  "There also has been an interest in creating an
	                                      ^^^^^^^^
	  SELinux UML, since it allows for rapid testing of
	  policies, and packages, and to observe the reaction of
	  the machine to threats and other stimuli. However,
	  it has been tedious, traditionally, to create a
	  UML that can be run in enforcing mode. A recipe for
	  doing so has been created..."

> not the issue here, 

> or are you just doing xen advocacy?

 i was under the impression, from the above, that somehow
 debian cannot run selinux/uml.

 i was therefore recommending an alternative that is, by
 comparison, just... okay: xen takes a source code download,
 two kernel compiles, create a guest-machine-config, and
 a guest-machine-install (unless like me you're prepared to
 copy the drive images of an existing machine and hack it into
 submission from there :) and you're done, up, running.

 by contrast: i once installed uml...

> The question was about ensuring proper containment of the UML kernel
> process *from outside*, with regards to the way uml handles tmpfs (which
> it uses as a ram backing store with execute attributes).
> 
> > people who are not happy about using or waiting for uml-selinux
> > might want to consider either temporarily or permanently
> > utilising xen instead.
> Running uml-selinux guests is not a problem, and xen is not necessarily
> the right approach for everything: the system virtualisation does not
> happen at the same os level. Can you control your xen instance from
> within a selinux controlled system? 

 you're talking about running xen in the domain master, yes?

 known as domain "0".

 in theory, it can be done (and i haven't been mad enough to switch on
 selinux in the xen master domain yet...)

 management of xen (communication between domains) is done
 via a python-based HTTP web server (twisted python) running on a high
 port number.

 want fine-grained control?  ... erk.




> (note: I am not talking about
> running selinux from within a xen instance)
 
 known as a guest domain (i.e not numbered domain 0)

> > l.
> > 
> > p.s. xen's a lot damn quicker, too.  quick enough so that you can
> > seriously consider just doing apt-get update, blah blah.
> uml on x86 with the skas3 patch is very fast.
> We've been running debian guests (inc apt-get) just fine for years.

 hm.  sorry about that - the above URL gives an impression other than
 that.

 l.

--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://www.golden-gryphon.com/software/security/selinux.xhtml

[antoine]

>  i was under the impression, from the above, that somehow
>  debian cannot run selinux/uml.
I haven't tried selinux on my debian uml instances.

>  i was therefore recommending an alternative that is, by
>  comparison, just... okay: xen takes a source code download,
>  two kernel compiles, create a guest-machine-config, and
>  a guest-machine-install (unless like me you're prepared to
>  copy the drive images of an existing machine and hack it into
>  submission from there :) and you're done, up, running.
> 
>  by contrast: i once installed uml...
Example with Gentoo-SELinux:
* make a Gentoo SELinux filesystem (loopback mounted + chroot)
 and add /dev/ubd devices (uml block devices) adjust fstab and inittab
* build a kernel (make ARCH=um vmlinux)
* run it:
 ./vmlinux mem=512 ubd0=./root_fs root=/dev/ubda selinux=1 enforcing=0
* selinux relabel
(optional: reboot guest in enforcing mode, add skas to host, etc)

It cannot be easier than this, can it?

>  in theory, it can be done (and i haven't been mad enough to switch on
>  selinux in the xen master domain yet...)
It is the most critical system to secure: One ring to rule them all...

>  management of xen (communication between domains) is done
>  via a python-based HTTP web server (twisted python) running on a high
>  port number.
I'm not here to have a go at xen/python (or start a holy war) but I
prefer the way uml is managed: like a normal process, which means you
can apply normal tools to control it (ie: selinux if you want to). Any
linux system can run uml instances without a single reboot (albeit
without skas). On the other hand, uml is linux only, xen virtualises the
whole system and has some nice features (live migration particularly)

> the above URL gives an impression other than that.
When it comes to performance benchmarks (that's part of my job) it is
very difficult to compare accurately unless you know all the products
very well. If you are referring to this benchmark:
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/performance.html
* It uses kernel 2.4.22 which is *very* old.
* I/O is the main difference but it does not mention what method was
used for the filesystems backing store. There are many tricks that can
drastically improve performance if you know what you are doing (even for
VMWare). Xen generally uses raw disks whereas uml generally uses files
as disk images, this overhead alone will create a huge difference in
performance. I believe Xen can probably achieve better I/O performance
than uml, but not by the margins shown above.
* It was authored by people working on Xen, I am not trying to discredit
the results in any way, just pointing out that they clearly knew Xen
better than the others...

Now, don't get me started on database performance...

Cheers
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: http://www.golden-gryphon.com/software/security/selinux.xhtml

[Manoj Srivastava]

On Fri, 10 Jun 2005 00:20:31 +0100, Luke Kenneth Casson Leighton <lkcl@lkcl.net> said: 

> On Thu, Jun 09, 2005 at 11:42:00PM +0100, antoine wrote:
>> On Thu, 2005-06-09 at 20:20 +0100, Luke Kenneth Casson Leighton wrote:
>> > manoj, hi,
>> > 
>> > i am delighted to see the above web page re: selinux.
>> Err?

>  never seen it before :)

>> > 
>> > i notice you mention that there is an effort underway to make a
>> > uml-selinux.
>> > 
>> > perhaps i should mention that it is utterly trivial to set up a
>> > xen system with a guest domain running pretty much any kind of
>> > kernel - including selinux enabled ones.

>> We have been running selinux guest kernels in uml for years, that
>> was

>  _great_.

>  hm - the above page gives the impression that it hasn't been:

> 	  "There also has been an interest in creating an
> 	                                      ^^^^^^^^
> 	  SELinux UML, since it allows for rapid testing of policies,
> 	  and packages, and to observe the reaction of the machine to
> 	  threats and other stimuli. However, it has been tedious,
> 	  traditionally, to create a UML that can be run in enforcing
> 	  mode. A recipe for doing so has been created..."

------------------^^^^^^

  Recipe \Rec"i*pe\ (r[e^]s"[i^]*p[-e]), n.; pl. {Recipes}
     (r[e^]s"[i^]*p[=e]z). [L., imperative of recipere to take
     back, take in, receive. See {Receive}.]

     4. a method or procedure for accomplishing a goal by defined
        steps; -- implying a high probability of achieving the
        goal; as, a recipe for success. Also used in a negative
        sense, as, a recipe for disaster.

>> not the issue here,

>> or are you just doing xen advocacy?

>  i was under the impression, from the above, that somehow debian
>  cannot run selinux/uml.

        If it were not possible to do so, a recipe could also not have
 been created.


>  hm.  sorry about that - the above URL gives an impression other
>  than that.

        Onnly if you
  a) do not understand the meaning of the word recipe, and
  b) do not follow the link down to
     http://www.golden-gryphon.com/software/security/selinux-uml.xhtml


        manoj
-- 
Calling you stupid is an insult to stupid people! Wanda, "A Fish
Called Wanda"
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.