selinux and kde

selinux and kde

[Luke Kenneth Casson Leighton]

... does anyone ever actually _use_ strict selinux policy enforcing
and successfully run kde under it??

i mean, i know i've been doing a lot of messing about trying
to get things to work, including perhaps unnecessarily adding
a policy for k3b (and cdrecord) and one for usbmount, and
fireflier too, but a 1,800 line patch to the default 1.14
policy is a heck of a lot of messing.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Thomas Bleher]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 02:42]:
> ... does anyone ever actually _use_ strict selinux policy enforcing
> and successfully run kde under it??

Yes, I do.
All machines here are using KDE without problems. My policy is currently
based on Fedora policy 1.15.7-something (haven't come around to updating
for a while). I don't do CD burning here, so no comment on that, but
everything else should work[0].
What problems are you seeing?

Thomas

[0]: Not entirely true, I have to admit, after looking through my
policy:
# you will need this if you want to play unreal; not suitable for
# general policy
allow userdomain dri_device_t:chr_file rw_file_perms;

I also had some extra allow rules for the user_mount-domain (in
macros/user_macros.te), when mount is called from kde, but I'll have to
check again if these are needed.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Andreas Schuldei]

* Luke Kenneth Casson Leighton (lkcl@lkcl.net) [040824 03:46]:
> ... does anyone ever actually _use_ strict selinux policy enforcing
> and successfully run kde under it??
> 
> i mean, i know i've been doing a lot of messing about trying
> to get things to work, including perhaps unnecessarily adding
> a policy for k3b (and cdrecord) and one for usbmount, and
> fireflier too, but a 1,800 line patch to the default 1.14
> policy is a heck of a lot of messing.

i agree. i set up a debian unstable server some weeks ago and
installed (quite painfully) selinux, running into most of the
problems you encountered before. when it was up it crashed
regularly at least every other day, since i compiled a kernel
without apm (following a hunch), which improved the situation
drastically and the server reaches uptimes of up to seven days
now.

the amount of avc messages i got when running normal operation
without any special stuff (postfix mostly, where spam filtering
with spamd is the most advanced operation i do) discouraged me
slightly to pursue this path right now.

i conclude that debian is not a viable platform for selinux for
non-selinux development right now. this is a real tragedy since
both russel and colins were working on it some time ago as their
prime platform, pushing it hard on debian, but i guess the
enormous debian initeria and the reluctance to include their lib
into base along with their jobs at redhat killed it for now.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 10:56:33AM +0200, Thomas Bleher wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 02:42]:
> > ... does anyone ever actually _use_ strict selinux policy enforcing
> > and successfully run kde under it??
> 
> Yes, I do.
> All machines here are using KDE without problems. My policy is currently
> based on Fedora policy 1.15.7-something (haven't come around to updating
> for a while). I don't do CD burning here, so no comment on that, but
> everything else should work[0].
> What problems are you seeing?
 
 well, a lot of sysadm_chkpwd_t stuff, i'm seeing audit messages
 after logging in on a console as a user that are indicative of
 the tty not being returned to the correct context...

 ... but in general, i'm just surprised that i have an 1,800 line
 diff file [last updated from cvs, roughly around 1.14].

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 03:49:47PM +0100, Luke Kenneth Casson Leighton wrote:
> On Tue, Aug 24, 2004 at 10:56:33AM +0200, Thomas Bleher wrote:
> > * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 02:42]:
> > > ... does anyone ever actually _use_ strict selinux policy enforcing
> > > and successfully run kde under it??
> > 
> > Yes, I do.
> > All machines here are using KDE without problems. My policy is currently
> > based on Fedora policy 1.15.7-something (haven't come around to updating
> > for a while). I don't do CD burning here, so no comment on that, but
> > everything else should work[0].
> > What problems are you seeing?
>  

 things like this:

 +allow user_t xdm_tmp_t:file { ioctl write };
 +   #EXE=/usr/bin/konqueror  PATH=/tmp/xerr-sez-:0   :  ioctl


 and this:

 +allow user_t user_home_dir_t:file { read unlink };
 +   #EXE=/usr/bin/kaffeine  NAME=.fonts.cache-1   :  read
 +   #EXE=/usr/bin/kaffeine  NAME=.fonts.cache-1   :  unlink


 and these:

 +allow user_t user_t:process { setrlimit };
 +   #EXE=/bin/dash   :  setrlimit
 +
 +allow user_t user_t:capability { setuid };
 +   #EXE=/usr/bin/artswrapper   :  setuid

 
 for sound to work, these must be added.

 for "shutdown and restart" to be added to the menu,
 access to write to /var/run in order to create xdmctl
 and the sockets therein is necessary to be added to xdm_t.


 it's just... so much extra crud i was getting a bit confused.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 02:26:46PM +0200, Andreas Schuldei wrote:

> * Luke Kenneth Casson Leighton (lkcl@lkcl.net) [040824 03:46]:
> > ... does anyone ever actually _use_ strict selinux policy enforcing
> > and successfully run kde under it??
> > 
> > i mean, i know i've been doing a lot of messing about trying
> > to get things to work, including perhaps unnecessarily adding
> > a policy for k3b (and cdrecord) and one for usbmount, and
> > fireflier too, but a 1,800 line patch to the default 1.14
> > policy is a heck of a lot of messing.
> 
> i agree. i set up a debian unstable server some weeks ago and
> installed (quite painfully) selinux, running into most of the
> problems you encountered before. when it was up it crashed
> regularly at least every other day, since i compiled a kernel
> without apm (following a hunch), which improved the situation
> drastically and the server reaches uptimes of up to seven days
> now.

 whoa.  that's useful to know because i could do without headaches
 like that.

 ... then again, i haven't seen any major crashes...

 ... then again, i'm working on a desktop machine and i haven't
 been significantly hammering it.

> i conclude that debian is not a viable platform for selinux for
> non-selinux development right now. this is a real tragedy since
> both russel and colins were working on it some time ago as their
> prime platform, pushing it hard on debian, but i guess the
> enormous debian initeria and the reluctance to include their lib
> into base along with their jobs at redhat killed it for now.
 
 sarge release unfreezes that, fortunately.

 chicken and egg.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Erich Schubert]

Hi Andreas,

> i agree. i set up a debian unstable server some weeks ago and
> installed (quite painfully) selinux, running into most of the
> problems you encountered before. when it was up it crashed

I set up two SELinux machines a couple of weeks ago and they have been
doing just fine (apart from some crashes at the beginning which
disappeared with a newer kernel)

> the amount of avc messages i got when running normal operation
> without any special stuff (postfix mostly, where spam filtering
> with spamd is the most advanced operation i do) discouraged me
> slightly to pursue this path right now.

I got these down quite easily and have none left now in everyday usage.
One machine is doing firewall, bind (with dyn updates) and pptp, the
other is running postfix+amavis+clamav and some custom script to get the
mail addresses out of the ldap interface of a notes server.

Of course, the more applications you run on it the more policy you'll
need to write. I havn't even thought about running SELinux on a desktop
machine yet.

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    Go away or i'll replace you with a very small shell script.     //\
   Jede Frau erwartet von einem Mann, dass er hält, was sie sich    V_/_
                         von ihm verspricht.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Russell Coker]

On Wed, 25 Aug 2004 00:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > Yes, I do.
> > All machines here are using KDE without problems. My policy is currently
> > based on Fedora policy 1.15.7-something (haven't come around to updating
> > for a while). I don't do CD burning here, so no comment on that, but
> > everything else should work[0].
> > What problems are you seeing?
>
>  well, a lot of sysadm_chkpwd_t stuff, i'm seeing audit messages
>  after logging in on a console as a user that are indicative of
>  the tty not being returned to the correct context...

A change to PAM is needed to fix most of that.  New Debian packages have to be 
compiled with the same code as has been in the Red Hat pam packages for a 
while.  The problem is a lack of time.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Russell Coker]

On Tue, 24 Aug 2004 22:26, Andreas Schuldei <andreas@schuldei.org> wrote:
> the amount of avc messages i got when running normal operation
> without any special stuff (postfix mostly, where spam filtering
> with spamd is the most advanced operation i do) discouraged me
> slightly to pursue this path right now.

Give me a list of AVC messages, some are probably things that should go into 
the main policy.

> i conclude that debian is not a viable platform for selinux for
> non-selinux development right now. this is a real tragedy since
> both russel and colins were working on it some time ago as their
> prime platform, pushing it hard on debian, but i guess the
> enormous debian initeria and the reluctance to include their lib
> into base along with their jobs at redhat killed it for now.

The lib will go into base post-sarge.  The Debian inertia is the main problem.

I am continuing to develop Debian packages in my spare time, I just have much 
less spare time.  This means I can't spend so much time recompiling packages 
because of Debian developers being unwilling to accept patches.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Andreas Schuldei]

* Russell Coker (russell@coker.com.au) [040829 19:29]:
> The lib will go into base post-sarge.  The Debian inertia is the main problem.
> 
> I am continuing to develop Debian packages in my spare time, I just have much 
> less spare time.  This means I can't spend so much time recompiling packages 
> because of Debian developers being unwilling to accept patches.

perhaps this is where other debian developers and users can help,
by friendly suggesting to apply the patch?

could you compile a list of villians or bugs?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Russell Coker]

On Mon, 30 Aug 2004 04:46, Andreas Schuldei <andreas@schuldei.org> wrote:
> * Russell Coker (russell@coker.com.au) [040829 19:29]:
> > The lib will go into base post-sarge.  The Debian inertia is the main
> > problem.
> >
> > I am continuing to develop Debian packages in my spare time, I just have
> > much less spare time.  This means I can't spend so much time recompiling
> > packages because of Debian developers being unwilling to accept patches.
>
> perhaps this is where other debian developers and users can help,
> by friendly suggesting to apply the patch?
>
> could you compile a list of villians or bugs?

The main thing at the moment is to get libselinux into base.  Then we can 
hopefully get patched cron and sysvinit in there, and logrotate compiled with 
SE Linux support.

Another thing that has to be done is to have PAM sorted out.  PAM is 
effectively forked multiple times.  The Red Hat and the Debian PAM packages 
have different patches and no work is being done to improve the situation at 
the moment.  Everyone seems to agree that if someone takes over PAM upstream 
and incorporates the fixes then they will follow it instead of the current 
upstream of PAM.  Know anyone who wants to take over PAM upstream?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Luke Kenneth Casson Leighton]

On Mon, Aug 30, 2004 at 03:27:02AM +1000, Russell Coker wrote:
> On Wed, 25 Aug 2004 00:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > Yes, I do.
> > > All machines here are using KDE without problems. My policy is currently
> > > based on Fedora policy 1.15.7-something (haven't come around to updating
> > > for a while). I don't do CD burning here, so no comment on that, but
> > > everything else should work[0].
> > > What problems are you seeing?
> >
> >  well, a lot of sysadm_chkpwd_t stuff, i'm seeing audit messages
> >  after logging in on a console as a user that are indicative of
> >  the tty not being returned to the correct context...
> 
> A change to PAM is needed to fix most of that.  New Debian packages have to be 
> compiled with the same code as has been in the Red Hat pam packages for a 
> while.  The problem is a lack of time.
 
 ah, okay: as long as i know.  [e.g., console ttys don't get
 relabelled on exit, such that they are the wrong security context
 for the next login... ]

 okay.

 so which packages are these, so i can give it a shot?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux and kde

[Luke Kenneth Casson Leighton]

On Sun, Aug 29, 2004 at 08:46:12PM +0200, Andreas Schuldei wrote:
> * Russell Coker (russell@coker.com.au) [040829 19:29]:
> > The lib will go into base post-sarge.  The Debian inertia is the main problem.

debian inertia can be overcome by more debian users being willing to
experiment / not wish to be out-done by redhat / be more concerned
about security.

end-result being to force maintainers with a "i don't like selinux"
attitude to _have_ to accept patches in order to make their lives
easier.

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.