Suse selinux policy

Suse selinux policy

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 613 bytes --]

I have recently been doing some work on Suse and
Sunday thought I'd play around with their version
of selinux packages. However I failed to find their
base policy package. Does anyone know what they call
it and if it is present in a baseline SLES9?

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Suse selinux policy

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1097 bytes --]

* Dale Amon <amon@vnl.com> [2005-07-19 02:03]:
> I have recently been doing some work on Suse and
> Sunday thought I'd play around with their version
> of selinux packages. However I failed to find their
> base policy package. Does anyone know what they call
> it and if it is present in a baseline SLES9?

I don't know about SLES9 but afaik most SuSE products don't contain a
policy package (I once saw one for an older version but it was very
outdated). From what I've heard SuSE favors AppArmor over SELinux so
it's unlikely they will support SELinux[1].
I have built packages for 9.2 and am currently building some for 9.3,
you can see the work I have done at
http://www.cip.ifi.lmu.de/~bleher/selinux/suse/s?rpm-9.{2,3}/
The policy at my site is rather old but if you want I can send you a
newer policy.

Thomas

[1] Please note that I am just a normal SuSE user with no internal
contacts at SuSE so take this with a grain of salt.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Suse selinux policy

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 992 bytes --]

On Wed, Jul 20, 2005 at 12:35:43PM +0200, Thomas Bleher wrote:
> I don't know about SLES9 but afaik most SuSE products don't contain a
> policy package (I once saw one for an older version but it was very
> outdated). From what I've heard SuSE favors AppArmor over SELinux so
> it's unlikely they will support SELinux[1].

It doesn't make sense to me. Why would the kernel in
SLES9 have selinux compiled in (with default boot of
selinux=0) and the CD's contain libselinux, policycoreutils,
etc, etc, and no policy? The Novell OES version uses
the same disk set as well, I have been working
with both over the last month.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Suse selinux policy

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 474 bytes --]

Is there anyone here from Suse who could discuess
SELinux setup in SLES9? The silence thus far is 
deafening...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Suse selinux policy

[Stephen Smalley]

On Wed, 2005-07-20 at 17:59 +0100, Dale Amon wrote:
> It doesn't make sense to me. Why would the kernel in
> SLES9 have selinux compiled in (with default boot of
> selinux=0) and the CD's contain libselinux, policycoreutils,
> etc, etc, and no policy? The Novell OES version uses
> the same disk set as well, I have been working
> with both over the last month.

Just my opinion:  If they include policy in SLES, they have to support
it too.  Whereas just including the SELinux code but disabling it by
default and not providing a policy themselves lets them say that they
have "SELinux support" without having to deal with the time and effort
required to properly configure a policy for the entire distro, integrate
support throughout their userland, test the system with a loaded policy
in enforcing mode, etc.  Pushes the burden to the customer, while still
claiming the advertising benefit of claiming that they support SELinux.
Note that their press release about acquiring AppArmor/SubDomain claimed
that they were the first commercial distro to support SELinux, where
"support" apparently just means "code included", and not even all of
that.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse selinux policy

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]

On Mon, Jul 25, 2005 at 10:03:31AM -0400, Stephen Smalley wrote:
> Just my opinion:  If they include policy in SLES, they have to support
> it too.  Whereas just including the SELinux code but disabling it by
> default and not providing a policy themselves lets them say that they
> have "SELinux support" without having to deal with the time and effort
> required to properly configure a policy for the entire distro, integrate
> support throughout their userland, test the system with a loaded policy
> in enforcing mode, etc.  Pushes the burden to the customer, while still
> claiming the advertising benefit of claiming that they support SELinux.
> Note that their press release about acquiring AppArmor/SubDomain claimed
> that they were the first commercial distro to support SELinux, where
> "support" apparently just means "code included", and not even all of
> that.

Thanks for getting back to me. I was hoping it was
a failure on my part to *find* it but did fear this
might be the case. 

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]