* Re: Another small SE presentation
2003-09-09 19:54 Another small SE presentation Tom
@ 2003-09-09 23:04 ` Dale Amon
2003-09-10 7:47 ` James de Lurker
1 sibling, 0 replies; 6+ messages in thread
From: Dale Amon @ 2003-09-09 23:04 UTC (permalink / raw)
To: Tom; +Cc: SELinux
On Tue, Sep 09, 2003 at 09:54:19PM +0200, Tom wrote:
> It seems to me after these last events that SELinux is by far not as
> well known as I would have thought. I'm a bit surprised by that. Is
> anyone else?
Unless you're really in the loop on these sort of things, you
don't necessarily know about them. I've been on the day-to-day
firing line myself. When you're there you are lucky if you
have time to go home and change, let alone read newsgroups and
mail lists.
I'll probably given selinux a mention at some point. I've been
thinking of injecting a techy article into my 'blog (samizdata),
which is read by a lot of people who probably don't read slashdot...
and probably by a lot of people who will skip to something they
understand :-)
It seems to me we're approaching an important new threshold in
the linux world. The 2.6 kernels now have ipsec, ipv6, selinux,
and crypto all supported in standard, not to mention other
Enterprise features. Then you've got the new Debian Installer
with the sarge dist... things are really hopping in our
world.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Another small SE presentation
2003-09-09 19:54 Another small SE presentation Tom
2003-09-09 23:04 ` Dale Amon
@ 2003-09-10 7:47 ` James de Lurker
2003-09-10 15:46 ` Tom
2003-09-10 23:07 ` Russell Coker
1 sibling, 2 replies; 6+ messages in thread
From: James de Lurker @ 2003-09-10 7:47 UTC (permalink / raw)
To: SELinux
Feedback to Tom's question. OT for a developer list, perhaps, but
I hope that you find my "end user" experiences valuable for
future promotion of the selinux project.
Tom wrote:
>During a private, small meeting (about 20 people) in London this
>weekend, I gave a shortened version of the CCC presentation that
>Carsten I made in August. The audience was exclusively computer
>security people. There was a lot of interest, many questions including
>fairly deep ones, e.g. polyinstantiation or comparisons to other
>systems.
>It seems to me after these last events that SELinux is by far not as
>well known as I would have thought. I'm a bit surprised by that. Is
>anyone else?
Not at all. I've attended three selinux presentation events, taken a keen
interest in the selinux project from first release, and built one test
system a year ago and used it actively for four months until rpm stopped
working for package upgrading and removal for no reason that I could
fathom.
( Seen recently - glibc updating sub-arch issues a likely culprit )
There was considerable interest even for the early RH6.2 incarnation!
To the point where I was asked to include a briefing on it during a
due diligence meeting with Austrian Venture Capitalist Analysts on
behalf of a client building secure systems for the German speaking
market.
The succint answer to your question is obvious to anyone involved in
raising market awareness, and gaining "market share" of new technical
innovations.
Packaging - and promotion that will engage non specialists.
A knoppix-like CD. A "kickstart" CD that can painlessly install a
command line only basic version of the most current selinux; doing all
the necessary tweaking and post config things automagically to bring
a basic installation to a known good state for testers and systems
folk: persuading "the boss" to put an se box in a realistic real world
environment when there is a straightforward point of reference that
management can understand and accept as a low risk support exercise.
If Russell's recent article in The Linux Journal had a complementary
no brainer trial install CD on the cover - you'd have been swamped with
interest to the point where the developer list would have needed a
companion "end user, tester" list to divert the non developer traffic
Imagine the attendance at selinux presentations in more general venue
industry events ( InfoSec 200? Olympia ) if you were handing out trial
CDs where folks could go away and build a reference system _exactly_
the same as used for the presentation, with simple HOWTO newbie type
documentation. Advertised in advance, of course...
I used to build custom, secured Linux systems and have been commissioned
to build dedicated kickstart install CDs for server building and cloning.
Also used to do software development, involved with crypto and datacomms,
so I can just about cope at the level that exists on the selinux list
and the Wirex LSM lists. I don't pretend to be as productive a C
programmer, or as capable as people here who I'd be struggling to
compete with even if I turned the clock back 15 to 20 years!
There will be ( or _should_be_ ) dozens of "systems" and "tester" grade
people that could contribute valuable testing hours and feedback. But
the level of pain and attention to figure out what the snapshot status
of the project is, and what patches posted to this list are necessary,
is far too high, even for me, to cope with :-(
Making each patch "self documenting", and a periodic "patch FAQ" that
listed everything necessary in simple steps from the last kernel.org
reference kernels ought to be posted to the list for folk that don't
work from CVS. Where patches are distro dedicated ( Debian, SuSe, whatever)
make that obvious at a glance. I've just downloaded Russell's patches
to 2.4.22 and 2.6.0-test5 UML but am clueless if they will work with
the RedHat base distributions, or are Debian dedicated, only. Obvious
to Russell and other leading developers perhaps, but not to me!
I tried syncing to CVS - from a modem connection with a 2 hour cut-out!
Not an experience I'd care to repeat. CVS is way too scary and elite a
reference. Even if it is as autonomous as breathing for the top 10% of
active CS educated software developers. Not for me it isn't.
( Advice on how to work from CVS with this limitation appreciated )
The early rpm packages didn't work. There were no SRPMS available at
that time, and no clear documentation about status of "packaged" versions
so that I had any real chance of fault isolation and fixing what was
broken without considerable pain.
CVS isn't trivial as a first point of contact. So the "duplication"
of regular status and HOWTO documentation posted to a list is essential.
Someone will have to spend time bridging the gap between the top
contributors' posting patches and the head scratching system builders
and commercial deployers such as moi motivated to be on the receiving end
I am dismayed by all the distribution forks. I've been a RedHat distro
person (only) from 1998. Maybe their ought to be distro dedicated
subscriber lists to carry regular HOWTO postings and distro dedicated
traffic.
In August the project has forked base distributions that I need to
support: RH9 now, not just the reference RH7.2 base system that I built.
So I'm spending time creating and maintaining 2 base install backups for
my kit instead of just one, as per a year ago. The entry cost bar has
been raised to proper testing. I'd had preferred to remain with the old
RH7.2 GCC and libc base for development and 2.4.xx mainstream. Few of
my selinux boxes will be graphical and GUI enabled. As I tend to deploy
testing stuff on older kit - XFree86 driver rewrites have rendered (sic)
graphical interfaces useless on many of my legacy PCI video boxes, so all
my software development and building is still done on RedHat 7.x desktops.
The issue on the list recently of segfaulting due to weird sub-arch
glibc updating issues is a case in point. How many people ( like me )
will call it a day when they end up with a dead end broken system;
repeating the same mistakes that others have already unwittingly made?
At no point has the selinux documentation made the status of the base
distribution at all clear: Basic install CD, or fully upgraded with all
the update RPMS applied? Might be a good idea to document clearly the
sensitive aspects for people that sub-arch customize building their own
rpms from SPRMS for all updates. That is what ate my first selinux build.
Currently, I am just putting the finishing touches to a RedHat 9 command
line only full updated base system ready to put on the latest 2.6.0-t5
kernel with Russell's one liner patch... Hope that it works!! Wish it
didn't feel like making a shot in dark - like the bad old days when
system security patches to production Windows NT boxes had to be tested.
OK - with that point of reference, I feel much happier :-)
--
-- James
From and Reply To are INVALID.
All public postings use munged headers[1]- To contact me off list:
1) Remove "M U N G I E j u m p" ONLY: leave that "nospam" in there!
2) change "hotmail" 2 "myrealbox" after the @
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread