From: Ole Kliemann <ole@plastictree.net>
To: Russell Coker <russell@coker.com.au>
Cc: selinux@tycho.nsa.gov
Subject: Re: Possible bug in finding default context?
Date: Fri, 10 Aug 2012 12:37:04 +0200 [thread overview]
Message-ID: <20120810103704.GC2296@telvanni> (raw)
In-Reply-To: <201208101913.03332.russell@coker.com.au>
[-- Attachment #1: Type: text/plain, Size: 2226 bytes --]
On Fri, Aug 10, 2012 at 07:13:03PM +1000, Russell Coker wrote:
> On Fri, 10 Aug 2012, Ole Kliemann <ole@plastictree.net> wrote:
> > I'm doing this on Ubuntu 12.04, so it could be the crappily
> > maintained selinux userland here.
>
> What are the problems in Ubuntu SE Linux?
>
> I've idly considered joining the Ubuntu project to help maintain SE Linux
> there. Doing it for two Debian-based distros can't be much more work than
> doing it for one.
Admittedly that statement contains a lot of prejudice. When I
started with SELinux I expectedly had problems finding my way
around. Documentation is often hard to find. The only good
reference I found so far is Richard Haines' SELinux Notebook.
But that's, like most SELinux documentation, quite abstract. If
you want more concrete information you always end up on the
websites of either Red Hat or Fedora. If you google for Ubuntu
and SELinux you won't find much.
Running a strict SELinux policy is a rather delicate affair. My
overall feeling regarding Ubuntu policy was: I shouldn't be
surprised if something suddenly stops working. But TBH I never
really tested it. When I tryed installing the ubuntu policy on my
test system right now, it failed due to some error, but normally
installing works. (I probably messed something up.)
There are a few problems I ran into that I remember off the top
of my head:
Reference policy sources can be installed and compiled but not
inserted due to missing dependencies.
There's an null pointer dereference in libsemanage, something
with genhomedircon, when trying to build a non-mcs policy. That's
a know issue but unpatched in Ubuntu.
The reference policy ubuntu's policy is based on is something
from 2009. It doesn't have the
bool mmap_low_allowed false;
As far as my limited understanding goes that isn't a problem
unless you do something stupid anyways. (Like installing wine...
vm.mmap_min_addr is set to 65536 by default on Ubuntu.)
So bottom line: Things aren't neccessarily bad. But they do look
old. And I just lack the trust that the policy is maintained in a
way that I can do updates without worries. Hence my prejudice.
Ole
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2012-08-10 10:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 17:45 Possible bug in finding default context? Ole Kliemann
2012-08-09 17:48 ` Stephen Smalley
2012-08-10 8:58 ` Ole Kliemann
2012-08-10 12:55 ` Stephen Smalley
2012-08-10 9:13 ` Russell Coker
2012-08-10 10:37 ` Ole Kliemann [this message]
2012-08-10 17:21 ` Ole Kliemann
2012-08-10 11:06 ` Ole Kliemann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120810103704.GC2296@telvanni \
--to=ole@plastictree.net \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.