2.2 kernel series

2.2 kernel series

[Metrix]

why develop 2.4, 2.5 even? 2.4 has had quite a lot of
problems, most people are sticking with 2.2 in a
production enviroment, it would seem that the 2.2
selinux patches are not being updated, which is a
shame. also, does selinux audit there code ala openbsd?

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.2 kernel series

[Dale Amon]

On Tue, Feb 19, 2002 at 04:50:27PM -0800, Metrix wrote:
> why develop 2.4, 2.5 even? 2.4 has had quite a lot of
> problems, most people are sticking with 2.2 in a
> production enviroment,

Hardly, or at least no more than the delay for really
mission critical applications that occurred between
2.0.36 and 2.2.17 jump. 

2.4.x has been more than stable enough for reasonably
critical applications for many months now, and I and
many, many others are so using it.

Changing from 2.2.17 to 2.2.17-se in a mission critical
system is exactly as risky (fixing what ain't broken) 
as going to 2.4.x. I can't see any admin going to that
much trouble to recertify a 2.2.x. Same amount of work
to make the transition to 2.4.x-selinux.

> it would seem that the 2.2
> selinux patches are not being updated, which is a
> shame. 

I don't think there are very many new systems going
up with 2.2.x. Selinux is still experimental anyway,
and by the time it's "done" we'll probably be using
2.6.x kernels with the conservative applications
hanging back on 2.4.x

> also, does selinux audit there code ala openbsd?

All of the kernel is pretty well audited if you
ask me; and I think Russ Coker has gone through 
the security critical apps as well as Dr. Smalley.

-- 
------------------------------------------------------
    Nuke bin Laden:           Dale Amon, CEO/MD
  improve the global          Islandone Society
     gene pool.               www.islandone.org
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.2 kernel series

[George Fouse]

I'm afraid that I would have to completely disagree with the stated
premise  
"most people are sticking with 2.2 in a production enviroment". 
While there are (more accurately, have been) some issues with the 2.4
series, the obvious advantages predominate.
Given that premise, though, I understand his questions.
'Nough said.

Metrix wrote:
> 
> why develop 2.4, 2.5 even? 2.4 has had quite a lot of
> problems, most people are sticking with 2.2 in a
> production enviroment, it would seem that the 2.2
> selinux patches are not being updated, which is a
> shame. also, does selinux audit there code ala openbsd?
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
> 

--
------------------------------
George Fouse, 
President
Quantum Technology Associates
System and Network Services
------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.2 kernel series

[Russell Coker]

On Wed, 20 Feb 2002 13:15, Dale Amon wrote:
> On Tue, Feb 19, 2002 at 04:50:27PM -0800, Metrix wrote:
> > why develop 2.4, 2.5 even? 2.4 has had quite a lot of
> > problems, most people are sticking with 2.2 in a
> > production enviroment,
>
> 2.4.x has been more than stable enough for reasonably
> critical applications for many months now, and I and
> many, many others are so using it.

SE Linux is (IMHO) still in a beta stage.  There are many issues that need to 
be improved before large-scale deployment can be performed.  Documentation 
needs improvement, integration into distributions needs to be done, and lots 
more testing!

> Changing from 2.2.17 to 2.2.17-se in a mission critical
> system is exactly as risky (fixing what ain't broken)
> as going to 2.4.x. I can't see any admin going to that

Changing from a non-SE system to a SE system is much more risky than going 
from 2.2.17 to 2.4.17!

> > it would seem that the 2.2
> > selinux patches are not being updated, which is a
> > shame.
>
> I don't think there are very many new systems going
> up with 2.2.x. Selinux is still experimental anyway,
> and by the time it's "done" we'll probably be using
> 2.6.x kernels with the conservative applications
> hanging back on 2.4.x

I hope that there will be some limited deployment in 2.4.x, but I agree that 
it won't become really popular until 2.6.x.

> > also, does selinux audit there code ala openbsd?
>
> All of the kernel is pretty well audited if you

I doubt that.

> ask me; and I think Russ Coker has gone through
> the security critical apps as well as Dr. Smalley.

I have been trying to get them working properly.  I have read quite a bit of 
code to understand what it does (particularly where documentation is lacking) 
and done some work in porting patches to different programs.

But I have not even started any sort of serious audit work!  When I feel that 
I know SE Linux well and have my Debian packages working well then I plan to 
read through some large chunks of code looking for errors or trojans.  I 
don't expect to find trojans and I think it's unlikely that I'll fine any 
serious errors, but to do this properly I have to check it (trust but verify).

-- 
Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.2 kernel series

[Stephen Smalley]

On Tue, 19 Feb 2002, Metrix wrote:

> why develop 2.4, 2.5 even? 2.4 has had quite a lot of
> problems, most people are sticking with 2.2 in a
> production enviroment, it would seem that the 2.2
> selinux patches are not being updated, which is a
> shame. also, does selinux audit there code ala openbsd?

I don't want to get into a 2.2 vs. 2.4 debate, and it really isn't
relevant.  SELinux is focused on technology transfer to the mainstream
Linux kernel.  In that context, maintaining a 2.2-based SELinux would not
be a good use of our limited resources.  If you want to create a LSM-like
framework for the 2.2 series and back port the current SELinux kernel
module, then feel free.

No, SELinux is not about auditing Linux code.  Please read the overview
and the FAQ on the NSA SELinux web site.  SELinux is more like TrustedBSD
than OpenBSD.  This has come up previously on the list - please refer to
the mailing list archives.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.2 kernel series

[Stephen Smalley]

On Wed, 20 Feb 2002, Dale Amon wrote:

> All of the kernel is pretty well audited if you
> ask me; and I think Russ Coker has gone through
> the security critical apps as well as Dr. Smalley.

I wouldn't make this claim.  Please see the FAQ.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.