From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4U1SfgA024432 for ; Sun, 29 May 2005 21:28:41 -0400 (EDT) Received: from open.hands.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4U1Mgg6005837 for ; Mon, 30 May 2005 01:22:42 GMT Received: from lkcl.net (host81-155-76-60.range81-155.btcentralplus.com [81.155.76.60]) by open.hands.com (Postfix) with ESMTP id 011EFBF7C for ; Mon, 30 May 2005 02:22:50 +0100 (BST) Received: from lkcl by lkcl.net with local (Exim 4.24) id 1DcZ7w-0007Iw-HB for selinux@tycho.nsa.gov; Mon, 30 May 2005 02:31:36 +0100 Date: Mon, 30 May 2005 02:31:36 +0100 From: Luke Kenneth Casson Leighton To: SE-Linux Subject: gentoo/hardened Message-ID: <20050530013136.GA28006@lkcl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov hi, i've just installed gentoo/hardened on a laptop, and i wanted to run Xorg on it. bearing in mind the warnings about gentoo/hardened not having "workstation" capability, i noted these and carried on, happy in the knowledge that i would be able to sort it out. ... then i found out what chris had done. chris - i hope you don't mind me saying this... ... but you have made a _lot_ of work for yourself, and for people like myself who would be happy to contribute / get things working. what chris has done is, rather than create (for example, as one possible way forward) a gentoo_hardened define and comment out blocks of code is... he's started from the sf.net cvs policy and REMOVED entire sections from the gentoo released selinux policy (including a large number of booleans). that makes it _really_ difficult for me - or anyone else - to follow what's gone on, and to add stuff in, because you first have to identify the "missing" stuff, and then add in what you need. maybe. because if you copy the sf.net policy files into a gentoo/hardened policy, you find that they are out-of-date (missing defines, macros, even missing flasks!) so, i have a plea and a question: * chris, would you _please_ consider tracking the sf cvs more closely, and submitting more patches to this list, rather than diverging? * to the people maintaining selinux cvs, would you consider adding a define gentoo_hardened as well as a gentoo_selinux or consider anything else - _anything_ - that would make it possible to consider sf.net cvs the "authoritative" and central repository of selinux policy for all distros? pooling resources and expertise in this complex area is the only _sane_ way forward. massive forking of selinux policy on a per-distro basis is a good way to ensure that expertise and volunteers are difficult to come by. ... of course, as always, you are entirely at liberty to completely ignore anything and/or everything i say: i am paid by no-one and answer to no-one - i just want this stuff to be easier and for it to succeed. l. -- -- http://lkcl.net -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4UNpugA028444 for ; Mon, 30 May 2005 19:51:56 -0400 (EDT) Received: from rwcrmhc14.comcast.net (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4UNk8NW025021 for ; Mon, 30 May 2005 23:46:08 GMT Subject: Re: gentoo/hardened From: Chris PeBenito To: Luke Kenneth Casson Leighton Cc: SE-Linux In-Reply-To: <20050530013136.GA28006@lkcl.net> References: <20050530013136.GA28006@lkcl.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-BX6byGgw3HHcPQD9KB/U" Date: Mon, 30 May 2005 19:46:06 -0400 Message-Id: <1117496766.1742.39.camel@chris.pebenito.net> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --=-BX6byGgw3HHcPQD9KB/U Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote: > i've just installed gentoo/hardened on a laptop, and i wanted to run > Xorg on it. >=20 > bearing in mind the warnings about gentoo/hardened not having > "workstation" capability, i noted these and carried on, happy in the > knowledge that i would be able to sort it out. >=20 > ... then i found out what chris had done. You make it sound like I did something nefarious! > chris - i hope you don't mind me saying this... >=20 > ... but you have made a _lot_ of work for yourself, and for > people like myself who would be happy to contribute / get > things working. >=20 > what chris has done is, rather than create (for example, as one > possible way forward) a gentoo_hardened define and comment out > blocks of code is... he's started from the sf.net cvs policy > and REMOVED entire sections from the gentoo released selinux > policy (including a large number of booleans). This has been discussed on the list before. We simply have different goals then other distros. The NSA example policy is being pushed by Red Hat for widespread use, and the policy is developed in that direction, which is fine. The tunable policy was converted over to use booleans and conditional policy support, which is to Red Hat's advantage, since they don't want to install policy sources on people's system by default. I don't have a problem with any of this, since widespread adoption helps SELinux, which is good. =20 Gentoo users are willing to give up more functionality, especially legacy support, for more security. We also don't want a bunch of dead policy, since its wasteful, and leaves more possibility of unwanted information flows. So the 'base policy' is only the policy needed for the core system packages. As a user merges more packages, policy is pulled in as a dependency as required. Configurability is a big thing for Gentoo users, and thus they are willing to get down into the details, so we definitely install the policy sources. Most of the tunable policy does not need to be toggled at runtime; therefore, I reverted the conditional policy back to m4 ifdefs so there isn't extra unneeded policy in memory. The main divergence is the conditional policy being switched back to m4 ifdefs. This wouldn't be sanely handled with distro tunables. Most everything else is just the fact that I don't keep up with sourceforge CVS religiously. If it ain't broke, don't fix it. --=20 Chris PeBenito Developer, Hardened Gentoo Linux Embedded Gentoo Linux =20 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xE6AF924= 3 Key fingerprint =3D B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 --=20 Chris PeBenito Developer, Hardened Gentoo Linux Embedded Gentoo Linux =20 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xE6AF924= 3 Key fingerprint =3D B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 --=-BX6byGgw3HHcPQD9KB/U Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQBCm6W+vI7kLeavkkMRAjjQAJ9+srmrkVBlhK5FRkabJkKnThwutgCglH36 Ch5gUuOjqPMQioA0KWc2hlU= =ybVl -----END PGP SIGNATURE----- --=-BX6byGgw3HHcPQD9KB/U-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4V0swgA028691 for ; Mon, 30 May 2005 20:54:59 -0400 (EDT) Received: from open.hands.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4V0mm29009440 for ; Tue, 31 May 2005 00:48:48 GMT Date: Tue, 31 May 2005 01:57:39 +0100 From: Luke Kenneth Casson Leighton To: Chris PeBenito Cc: SE-Linux Subject: Re: gentoo/hardened Message-ID: <20050531005739.GH28006@lkcl.net> References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <1117496766.1742.39.camel@chris.pebenito.net> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Mon, May 30, 2005 at 07:46:06PM -0400, Chris PeBenito wrote: > On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote: > > i've just installed gentoo/hardened on a laptop, and i wanted to run > > Xorg on it. > > > > bearing in mind the warnings about gentoo/hardened not having > > "workstation" capability, i noted these and carried on, happy in the > > knowledge that i would be able to sort it out. > > > > ... then i found out what chris had done. > > You make it sound like I did something nefarious! :) *snort* the joys of writing email at 3am... sorry about that. i wanted to be able to help / merge in xdm.te (and desktop usage) into gentoo/hardened. now i have two options: 1) learn what you've done, and then contribute to that, knowing full well that none of what i do will benefit any other project, and that i will find it difficult to get advice here on selinux ml because of the divergence 2) ignore and delete what you've done and endeavour to install the sf.net latest cvs on gentoo. given that gentoo/hardened selinux policy is the one that's different from all others, i'm far more inclined to 2). > > chris - i hope you don't mind me saying this... > > > > ... but you have made a _lot_ of work for yourself, and for > > people like myself who would be happy to contribute / get > > things working. > > > > what chris has done is, rather than create (for example, as one > > possible way forward) a gentoo_hardened define and comment out > > blocks of code is... he's started from the sf.net cvs policy > > and REMOVED entire sections from the gentoo released selinux > > policy (including a large number of booleans). > > This has been discussed on the list before. dang, missed it - or wasn't paying attention because i was focussing on debian / selinux. sorry about that. > We simply have different > goals then other distros. The NSA example policy is being pushed by Red > Hat for widespread use, and the policy is developed in that direction, > which is fine. The tunable policy was converted over to use booleans > and conditional policy support, which is to Red Hat's advantage, since > they don't want to install policy sources on people's system by default. > I don't have a problem with any of this, since widespread adoption helps > SELinux, which is good. > > Gentoo users are willing to give up more functionality, especially > legacy support, for more security. i'd like to be a gentoo user, and i'd like it to be _less work_ to achieve more [see later on. short: users' confusion and bewilderment at complexity and divergence from the "standard" is a recipe for LESS security not more]. i feel confident that if you proposed something reasonable that meant there was one more distro whose needs and requirements were incorporated conveniently into the selinux sf.net cvs then people would do their level best to make room for it / start thinking of ways to accommodate it. > We also don't want a bunch of dead > policy, since its wasteful, and leaves more possibility of unwanted > information flows. okay - how about splitting what you classify as "dead policy" [wrt gentoo] out into separate files, then submitting a patch that then makes it easier for gentoo to "exclude" those files... WITHOUT people like me having to wade through a diff -ru to work out what you've deleted! > So the 'base policy' is only the policy needed for > the core system packages. > As a user merges more packages, policy is > pulled in as a dependency as required. yes, i noticed that - i thought that was a great idea. it also means that people have to _explicitly_ install an selinux policy package in order to allow the service to actually... er... work! the debian install method - over 100 questions "do you want package X" - yeurrk :) try doing apt-get install on _that_! > Configurability is a big thing > for Gentoo users, and thus they are willing to get down into the > details, so we definitely install the policy sources. Most of the > tunable policy does not need to be toggled at runtime; therefore, I > reverted the conditional policy back to m4 ifdefs so there isn't extra > unneeded policy in memory. hm... you're the second person to have raised this. valdis just this week chopped a stack-load of [iirc correctly: unused? ] macro stuff out and the memory usage dropped dramatically. if what valdis has done is suitable for gentoo/hardened, that would [fortunately!] make this justification redundant (i hope!) > The main divergence is the conditional policy being switched back to m4 > ifdefs. This wouldn't be sanely handled with distro tunables. Most > everything else is just the fact that I don't keep up with sourceforge > CVS religiously. okay, here's the rub. you changed _two_ things - 1) distro tunables 2) not keeping up with sf cvs. that makes it _very_ difficult 1) for you to maintain 2) for anyone _but_ you to follow. i'm a bright guy (well, i'm supposed to be). but hell i _sure_ don't want to get involved with a "fork" of selinux security policy - i _just_ don't have the time or money to focus on it in enough paranoid detail, and - correct me if i'm wrong - i doubt whether you do, either. and that _sure_ as hell means that no sane gentoo admin is going to have the time or inclination either - no matter _how_ configurable gentoo is. [i have an experienced sysadmin friend - 15 years he's set up servers in secure environments. he had to call ME in to implement up a customised bastion selinux sftp server a few months back, after he explained to his bosses that it would take him a MONTH to even BEGIN to understand the issues involved in selinux policy, and even then he wouldn't be sure where to start or even if he'd got it right] ... there _are_ people however whose expertise you could ride with - stephen, russell, tresys - but forking a separate gentoo/hardened policy makes their expertise that _extra_ bit more remote. ... come back to the fold, chris, please! we miss you. baaaa :) l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4V4DQgA029426 for ; Tue, 31 May 2005 00:13:26 -0400 (EDT) Received: from rwcrmhc12.comcast.net (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4V47FpZ016475 for ; Tue, 31 May 2005 04:07:15 GMT Subject: Re: gentoo/hardened From: Chris PeBenito To: Luke Kenneth Casson Leighton Cc: SE-Linux In-Reply-To: <20050531005739.GH28006@lkcl.net> References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> <20050531005739.GH28006@lkcl.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-UplrG2DN/049UXp2MP79" Date: Tue, 31 May 2005 00:07:34 -0400 Message-Id: <1117512454.1742.101.camel@chris.pebenito.net> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --=-UplrG2DN/049UXp2MP79 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2005-05-31 at 01:57 +0100, Luke Kenneth Casson Leighton wrote: > On Mon, May 30, 2005 at 07:46:06PM -0400, Chris PeBenito wrote: > > On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote: > > > i've just installed gentoo/hardened on a laptop, and i wanted to run > > > Xorg on it. > > >=20 > > Gentoo users are willing to give up more functionality, especially > > legacy support, for more security. =20 >=20 > i'd like to be a gentoo user, and i'd like it to be _less > work_ to achieve more [see later on. short: users' confusion and > bewilderment at complexity and divergence from the "standard" > is a recipe for LESS security not more]. The complexity of policy is created by the fact that Linux is a general purpose OS. The current policy is hard to understand, regardless. This is something that we are working on improving at Tresys with our reference policy work. http://tresys.com/Downloads/selinux_dev/reference-policy.pdf > > We also don't want a bunch of dead > > policy, since its wasteful, and leaves more possibility of unwanted > > information flows. =20 >=20 > okay - how about splitting what you classify as "dead policy" > [wrt gentoo] out into separate files, then submitting > a patch that then makes it easier for gentoo to "exclude" > those files... WITHOUT people like me having to wade through > a diff -ru to work out what you've deleted! I think I had a poor choice of words. Its not dead policy, its unused policy. For example, there is no need for a ntpd policy to be installed on all systems, since not all systems have ntp. > > So the 'base policy' is only the policy needed for > > the core system packages. =20 >=20 > > As a user merges more packages, policy is > > pulled in as a dependency as required. =20 >=20 > yes, i noticed that - i thought that was a great idea. > =20 > it also means that people have to _explicitly_ install an > selinux policy package in order to allow the service to > actually... er... work! No, as I said above, it is pulled in as a dependency. So if you install ntp, selinux-ntp (the ntpd policy package) is installed first. It does not have to be explicitly installed. > the debian install method - over 100 questions "do you want > package X" - yeurrk :) try doing apt-get install on _that_! Interactive ebuilds are disallowed in Gentoo. =20 > > Configurability is a big thing > > for Gentoo users, and thus they are willing to get down into the > > details, so we definitely install the policy sources. Most of the > > tunable policy does not need to be toggled at runtime; therefore, I > > reverted the conditional policy back to m4 ifdefs so there isn't extra > > unneeded policy in memory. >=20 > hm... you're the second person to have raised this. > =20 > valdis just this week chopped a stack-load of [iirc > correctly: unused? ] macro stuff out and the memory usage > dropped dramatically. I am not concerned about the size of the policy.conf, I'm concerned about the size of the policy in kernel memory. For example, the Fedora policy is somewhere around 1280 types and 270,000 rules. The strict policy on my notebook is 598 types and 64,822 rules, including the X policies. I'm sure the difference in memory footprint for the policydb is noticeable. > > The main divergence is the conditional policy being switched back to m4 > > ifdefs. This wouldn't be sanely handled with distro tunables. Most > > everything else is just the fact that I don't keep up with sourceforge > > CVS religiously. =20 [cut] > but hell i _sure_ don't want to get involved with a "fork" > of selinux security policy - i _just_ don't have the time or > money to focus on it in enough paranoid detail, and - correct > me if i'm wrong - i doubt whether you do, either. You used a scary word to describe the Gentoo policy. It is most certainly not a fork, it is a vendor branch. I do sync up with the latest changes, usually when there is a release by the NSA guys, or if there is another need for an update. This is a common practice. For example, I doubt that the Fedora coreutils package has the same patches as the Debian coreutils package or the Gentoo coreutils package, etc. The same can be said for each distro's kernels. > and that _sure_ as hell means that no sane gentoo admin > is going to have the time or inclination either - no matter > _how_ configurable gentoo is. [i have an experienced sysadmin > friend - 15 years he's set up servers in secure environments. > he had to call ME in to implement up a customised bastion > selinux sftp server a few months back, after he explained to > his bosses that it would take him a MONTH to even BEGIN to > understand the issues involved in selinux policy, and even > then he wouldn't be sure where to start or even if he'd got > it right] Again, this has nothing to do with the distribution or the changes I make to the Gentoo policy. See my above comments on the reference policy and policy complexity. > ... there _are_ people however whose expertise you could ride with - > stephen, russell, tresys - but forking a separate gentoo/hardened > policy makes their expertise that _extra_ bit more remote. I don't see how a little divergence makes their expertise remote. BTW, I also work on policy at Tresys if you didn't realize :) --=20 Chris PeBenito Developer, Hardened Gentoo Linux Embedded Gentoo Linux =20 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xE6AF924= 3 Key fingerprint =3D B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 --=20 Chris PeBenito Developer, Hardened Gentoo Linux Embedded Gentoo Linux =20 Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xE6AF924= 3 Key fingerprint =3D B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 --=-UplrG2DN/049UXp2MP79 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQBCm+MGvI7kLeavkkMRAoW8AJsGb5ia4O7mXB6IKIjZWkXvtjGqYACeOhYz T4wFcoDQbdHUzBTLdD/ymug= =mAh5 -----END PGP SIGNATURE----- --=-UplrG2DN/049UXp2MP79-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4VB3UgA000694 for ; Tue, 31 May 2005 07:03:30 -0400 (EDT) Received: from open.hands.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4VAvbC0007312 for ; Tue, 31 May 2005 10:57:37 GMT Date: Tue, 31 May 2005 12:05:42 +0100 From: Luke Kenneth Casson Leighton To: Chris PeBenito Cc: SE-Linux Subject: Re: gentoo/hardened Message-ID: <20050531110542.GA4131@lkcl.net> References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> <20050531005739.GH28006@lkcl.net> <1117512454.1742.101.camel@chris.pebenito.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <1117512454.1742.101.camel@chris.pebenito.net> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, May 31, 2005 at 12:07:34AM -0400, Chris PeBenito wrote: > > okay - how about splitting what you classify as "dead policy" > > [wrt gentoo] out into separate files, then submitting > > a patch that then makes it easier for gentoo to "exclude" > > those files... WITHOUT people like me having to wade through > > a diff -ru to work out what you've deleted! > > I think I had a poor choice of words. Its not dead policy, its unused > policy. ah - i understood that, i just didn't make it clear that i understood it - apologies. > > it also means that people have to _explicitly_ install an > > selinux policy package in order to allow the service to > > actually... er... work! > > No, as I said above, it is pulled in as a dependency. So if you install > ntp, selinux-ntp (the ntpd policy package) is installed first. It does > not have to be explicitly installed. oh, cool. [hm, i'd done an explicit emerge so hadn't noticed.] > > valdis just this week chopped a stack-load of [iirc > > correctly: unused? ] macro stuff out and the memory usage > > dropped dramatically. > > I am not concerned about the size of the policy.conf, I'm concerned > about the size of the policy in kernel memory. i understood valdis to be equally so concerned. > > ... there _are_ people however whose expertise you could ride with - > > stephen, russell, tresys - but forking a separate gentoo/hardened > > policy makes their expertise that _extra_ bit more remote. > > I don't see how a little divergence makes their expertise remote. BTW, I > also work on policy at Tresys if you didn't realize :) :) evidently not :) thank you for evaporating my concerns. ... so am i allowed to ask you, after endeavouring to shoot everybody down in flames: any chance you could make your latest [experimental?] gentoo policy available? i do need to get a gentoo/hardenened workstation running, asap. much appreciated, l. -- -- http://lkcl.net -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4VCRjgA001319 for ; Tue, 31 May 2005 08:27:45 -0400 (EDT) Received: from ppsw-0.csi.cam.ac.uk (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4VCLUpZ000598 for ; Tue, 31 May 2005 12:21:31 GMT Date: Tue, 31 May 2005 13:29:31 +0100 From: Stephen Bennett To: Luke Kenneth Casson Leighton Cc: SE-Linux Subject: Re: gentoo/hardened Message-ID: <20050531132931.5c2bee94@localhost> In-Reply-To: <20050531110542.GA4131@lkcl.net> References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> <20050531005739.GH28006@lkcl.net> <1117512454.1742.101.camel@chris.pebenito.net> <20050531110542.GA4131@lkcl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, 31 May 2005 12:05:42 +0100 Luke Kenneth Casson Leighton wrote: > ... so am i allowed to ask you, after endeavouring to shoot > everybody down in flames: any chance you could make your > latest [experimental?] gentoo policy available? i do need > to get a gentoo/hardenened workstation running, asap. It's all in cvs -- http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/?root=gentoo-projects would probably be the place to start. If you don't like the viewcvs interface, there does exist an anoncvs mirror of it that's Not For Public Consumption (or was last thing I heard from the owner) -- mail me off list if you want the address. I also have some patches (well, one very big patch really) to import most of the changes from nsa cvs, done mainly for my benefit -- the mips box really needs a 2.6.12-rc kernel, and running that with a policy that has no concept of name_connect is painful. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4VDrlgA004560 for ; Tue, 31 May 2005 09:53:47 -0400 (EDT) Received: from h80ad25eb.async.vt.edu (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4VDlpC0015078 for ; Tue, 31 May 2005 13:47:52 GMT Message-Id: <200505311347.j4VDlfo7027518@turing-police.cc.vt.edu> To: Luke Kenneth Casson Leighton Cc: Chris PeBenito , SE-Linux Subject: Re: gentoo/hardened In-Reply-To: Your message of "Tue, 31 May 2005 01:57:39 BST." <20050531005739.GH28006@lkcl.net> From: Valdis.Kletnieks@vt.edu References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> <20050531005739.GH28006@lkcl.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1117547259_3664P"; micalg=pgp-sha1; protocol="application/pgp-signature" Date: Tue, 31 May 2005 09:47:40 -0400 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --==_Exmh_1117547259_3664P Content-Type: text/plain; charset=us-ascii On Tue, 31 May 2005 01:57:39 BST, Luke Kenneth Casson Leighton said: > valdis just this week chopped a stack-load of [iirc > correctly: unused? ] macro stuff out and the memory usage > dropped dramatically. > > if what valdis has done is suitable for gentoo/hardened, > that would [fortunately!] make this justification redundant > (i hope!) What I did *seems* to work *on my laptop*. The *correct* way to do it would involve adding a whole bunch of m4 ifdefs. I think for what Chris was trying to do for Gentoo, the *right* fix wasn't deleting code, but wrapping the code to be removed in a ifndef(`gentoo') wrapper.... --==_Exmh_1117547259_3664P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFCnGr7cC3lWbTT17ARAmrUAJ0ax27KM/QsxY+ESiD6ObOVhPUy3QCePlso 3ALNP0IFerHCAkGv8+BmTTE= =e1Td -----END PGP SIGNATURE----- --==_Exmh_1117547259_3664P-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4VFe7gA005856 for ; Tue, 31 May 2005 11:40:07 -0400 (EDT) Received: from web31609.mail.mud.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with SMTP id j4VFXppZ025116 for ; Tue, 31 May 2005 15:33:51 GMT Message-ID: <20050531153358.61421.qmail@web31609.mail.mud.yahoo.com> Date: Tue, 31 May 2005 08:33:58 -0700 (PDT) From: Casey Schaufler Subject: Re: gentoo/hardened To: SE-Linux In-Reply-To: <1117512454.1742.101.camel@chris.pebenito.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --- Chris PeBenito wrote: > The complexity of policy is created by the fact > that Linux is a general purpose OS. Err, no. The complexity of policy is an artifact of the ad hoc way policy is being applied to the system. By approaching the policy one program at a time, and putting all of ten minutes thought into the policy for each program, you are destined to end up with a higgeldee piggeldee hodgepodge that grows beyond the bounds of control. > The current policy is hard to understand, > regardless. And undocumented, and undesigned. > This is something that we are working on > improving at Tresys with our reference > policy work. Good. I would love to see a design for the policy. I mean, to date it has been like you're walking along a fence and every time you come to a post you staple whatever happens to be lying on the ground nearby onto it. What is the point? Casey Schaufler casey@schaufler-ca.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id j4VLKwgA009636 for ; Tue, 31 May 2005 17:20:58 -0400 (EDT) Received: from open.hands.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id j4VLEdpZ009335 for ; Tue, 31 May 2005 21:14:39 GMT Date: Tue, 31 May 2005 22:23:39 +0100 From: Luke Kenneth Casson Leighton To: Stephen Bennett Cc: SE-Linux Subject: Re: gentoo/hardened Message-ID: <20050531212339.GH11815@lkcl.net> References: <20050530013136.GA28006@lkcl.net> <1117496766.1742.39.camel@chris.pebenito.net> <20050531005739.GH28006@lkcl.net> <1117512454.1742.101.camel@chris.pebenito.net> <20050531110542.GA4131@lkcl.net> <20050531132931.5c2bee94@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20050531132931.5c2bee94@localhost> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tue, May 31, 2005 at 01:29:31PM +0100, Stephen Bennett wrote: > On Tue, 31 May 2005 12:05:42 +0100 > Luke Kenneth Casson Leighton wrote: > > ... so am i allowed to ask you, after endeavouring to shoot > > everybody down in flames: any chance you could make your > > latest [experimental?] gentoo policy available? i do need > > to get a gentoo/hardenened workstation running, asap. > > It's all in cvs -- > http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/?root=gentoo-projects > would probably be the place to start. _great_. ta. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.