SE-Linux on SuSE

SE-Linux on SuSE

[JW]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I am interested in running SE-Linux on SuSE.

I'd appreciate hearing from anyone who's tried it.

Esp. how hard/easy it was to install/configure, anything special you had to do to get it working, and what you like/dislike about it now that you have it working.

Thanks.
- -- 

- ----------------------------------------------------
Jonathan Wilson
System Administrator
Cedar Creek Software     http://www.cedarcreeksoftware.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE886w7Q5u80xXOLBcRAu2FAKCr7p8g97WTxT3d+M5fVSK5B5hupQCfWu+k
6BRs3lkJBbb9x3Se9q20wnw=
=IkW0
-----END PGP SIGNATURE-----


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE-Linux on SuSE

[Carsten Grohmann]

Hi Jonathan!

I've install SE-Linux on SuSE (7.1). It is easy to install. You should
run it a few days in the permissive mode to add a few new rules e.g. to
add the blogd to the initrc domain. And you should remove a lot of cron
jobs, if you like or you write rules for this jobs. And the mingettys,
but SE-Linux works fine on SuSE too. 

Carsten

JW schrieb:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> I am interested in running SE-Linux on SuSE.
> 
> I'd appreciate hearing from anyone who's tried it.
> 
> Esp. how hard/easy it was to install/configure, anything special you had to do to get it working, and what you like/dislike about it now that you have it working.
> 
> Thanks.
> - --
> 
> - ----------------------------------------------------
> Jonathan Wilson
> System Administrator
> Cedar Creek Software     http://www.cedarcreeksoftware.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Admissions Office]

Folks this may seem like a dumb question given the Open Source and postings
on the site. Its just that we want to be sure....

Is there any reason why a Colo company cannot offer SELinux as a standard
product offering they would install on clients servers?

That's all. I try to limit my dumb questions.

Ian McBeth
Sys Admin


----- Original Message -----
From: "Carsten Grohmann" <carsten.grohmann@dr-baldeweg.de>
To: <jw@centraltexasit.com>; <selinux@tycho.nsa.gov>
Sent: Monday, June 03, 2002 04:23
Subject: Re: SE-Linux on SuSE


> Hi Jonathan!
>
> I've install SE-Linux on SuSE (7.1). It is easy to install. You should
> run it a few days in the permissive mode to add a few new rules e.g. to
> add the blogd to the initrc domain. And you should remove a lot of cron
> jobs, if you like or you write rules for this jobs. And the mingettys,
> but SE-Linux works fine on SuSE too.
>
> Carsten
>
> JW schrieb:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> > I am interested in running SE-Linux on SuSE.
> >
> > I'd appreciate hearing from anyone who's tried it.
> >
> > Esp. how hard/easy it was to install/configure, anything special you had
to do to get it working, and what you like/dislike about it now that you
have it working.
> >
> > Thanks.
> > - --
> >
> > - ----------------------------------------------------
> > Jonathan Wilson
> > System Administrator
> > Cedar Creek Software     http://www.cedarcreeksoftware.com
>
> --
> You have received this message because you are subscribed to the selinux
list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Russell Coker]

On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> Folks this may seem like a dumb question given the Open Source and postings
> on the site. Its just that we want to be sure....
>
> Is there any reason why a Colo company cannot offer SELinux as a standard
> product offering they would install on clients servers?

As Mark stated there are no license or legal issues preventing such use.

In fact SE Linux is very desirable as an option for a hosting company as it 
allows safer sharing of recources.  I believe that the requirements that JW 
plans to solve with SE Linux are along the lines of partitioning a server for 
several users (who don't necessarily trust each other and aren't trusted by 
the administrator) to bind to ports <1024.

Of course as a practical measure you probably want to offer a non-SE service 
too, people get paranoid when the NSA is mentioned and some customers will 
probably pay extra to have a dedicated server without NSA software rather 
than a shared server with the NSA software...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Mirror Offer

[Admissions Office]

Mirror: Offer

One of my technical people wants me to ask if you would like the software to
be avail. on a mirror on our site. People just keep asking our staff about
it since I 'opened my mouth.'  We have large bandwidth and would be happy to
mirror it, Yes I know we can anyway but, its nice to have the group / all
involved agree. Our servers can handle the load and the bandwidth!

Ian McBeth



----- Original Message -----
From: "Russell Coker" <russell@coker.com.au>
To: "Admissions Office" <admissions@internet.edu.nf>
Cc: "SE Linux" <selinux@tycho.nsa.gov>
Sent: Monday, June 03, 2002 09:39
Subject: Re: SELinux Dumb Questions


> On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > Folks this may seem like a dumb question given the Open Source and
postings
> > on the site. Its just that we want to be sure....
> >
> > Is there any reason why a Colo company cannot offer SELinux as a
standard
> > product offering they would install on clients servers?
>
> As Mark stated there are no license or legal issues preventing such use.
>
> In fact SE Linux is very desirable as an option for a hosting company as
it
> allows safer sharing of recources.  I believe that the requirements that
JW
> plans to solve with SE Linux are along the lines of partitioning a server
for
> several users (who don't necessarily trust each other and aren't trusted
by
> the administrator) to bind to ports <1024.
>
> Of course as a practical measure you probably want to offer a non-SE
service
> too, people get paranoid when the NSA is mentioned and some customers will
> probably pay extra to have a dedicated server without NSA software rather
> than a shared server with the NSA software...
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my address in the
> >From field.
>
> --
> You have received this message because you are subscribed to the selinux
list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mirror Offer

[Russell Coker]

On Mon, 3 Jun 2002 19:50, Admissions Office wrote:
> One of my technical people wants me to ask if you would like the software
> to be avail. on a mirror on our site. People just keep asking our staff
> about it since I 'opened my mouth.'  We have large bandwidth and would be
> happy to mirror it, Yes I know we can anyway but, its nice to have the
> group / all involved agree. Our servers can handle the load and the
> bandwidth!

You can mirror my packages from http://www.coker.com.au/selinux/ if you want, 
but I doubt that it's any great benefit for anyone.  The bandwidth used isn't 
enough to be an issue for my provier and the files aren't large enough for 
anyone to really complain about download speed.

As for the main NSA site, you'll have to wait for an answer from them, I 
suspect that they would prefer to have it downloaded from them directly 
though.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mirror Offer

[Stephen Smalley]

On Mon, 3 Jun 2002, Admissions Office wrote:

> One of my technical people wants me to ask if you would like the software to
> be avail. on a mirror on our site. People just keep asking our staff about
> it since I 'opened my mouth.'  We have large bandwidth and would be happy to
> mirror it, Yes I know we can anyway but, its nice to have the group / all
> involved agree. Our servers can handle the load and the bandwidth!

This topic has come up previously on the list; please see the archives.
The answer has always been that people are free to mirror the site if
they wish, but the NSA doesn't support "official" mirrors.

There is at least one "unofficial" mirror maintained in Australia at
wiretapped.net.  There is also the sourceforge CVS tree.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Mirror Offer

[Admissions Office]

Ok, then we will start an un-official mirror here in Canada.

Details to follow::::::: any suggestion you have would be noted.

Ian



----- Original Message -----
From: "Stephen Smalley" <sds@tislabs.com>
To: "Admissions Office" <admissions@internet.edu.nf>
Cc: "Russell Coker" <russell@coker.com.au>; "SE Linux"
<selinux@tycho.nsa.gov>
Sent: Monday, June 03, 2002 13:10
Subject: Re: Mirror Offer


>
> On Mon, 3 Jun 2002, Admissions Office wrote:
>
> > One of my technical people wants me to ask if you would like the
software to
> > be avail. on a mirror on our site. People just keep asking our staff
about
> > it since I 'opened my mouth.'  We have large bandwidth and would be
happy to
> > mirror it, Yes I know we can anyway but, its nice to have the group /
all
> > involved agree. Our servers can handle the load and the bandwidth!
>
> This topic has come up previously on the list; please see the archives.
> The answer has always been that people are free to mirror the site if
> they wish, but the NSA doesn't support "official" mirrors.
>
> There is at least one "unofficial" mirror maintained in Australia at
> wiretapped.net.  There is also the sourceforge CVS tree.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[JW]

> On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > Folks this may seem like a dumb question given the Open Source and
> > postings on the site. Its just that we want to be sure....
> >
> > Is there any reason why a Colo company cannot offer SELinux as a standard
> > product offering they would install on clients servers?

> As Mark stated there are no license or legal issues preventing such use.


On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> SELinux includes Type Enforcement technology developed and patented by the
> Secure Computing Corporation, who still holds rights to all commercial use
> of the technology.  Before a colo company, or anyone else uses the
> technology commercially, it will be necessary to negotiate a license with
> Secure Computing.  If anyone wants to do so, I can help get the ball
> rolling with our Legal and BD folks.
>
> --Tom
>
> Dr. Tom Haigh, CTO
> Secure Computing Corp.
> 2675 Long Lake Road
> Roseville, MN 55113
>
> 651-628-2738 (V)
> 651-628-2701 (F)
>
> haigh@securecomputing.com
>
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Russell Coker]

On Tue, 4 Jun 2002 23:30, JW wrote:
> > On Mon, 3 Jun 2002 16:50, Admissions Office wrote:
> > > Folks this may seem like a dumb question given the Open Source and
> > > postings on the site. Its just that we want to be sure....
> > >
> > > Is there any reason why a Colo company cannot offer SELinux as a
> > > standard product offering they would install on clients servers?
> >
> > As Mark stated there are no license or legal issues preventing such use.
>
> On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> > SELinux includes Type Enforcement technology developed and patented by
> > the Secure Computing Corporation, who still holds rights to all
> > commercial use of the technology.  Before a colo company, or anyone else
> > uses the technology commercially, it will be necessary to negotiate a
> > license with Secure Computing.  If anyone wants to do so, I can help get
> > the ball rolling with our Legal and BD folks.

Let's look at the following URL:
http://www.securecomputing.com/archive/press/2000/nsa_faq_secure_linux.html

> Question 6: Will SCC use its patent on Type Enforcement TM to restrict use,
> future development, derivative work, or release of the source code of the
> system? 
>
> There will be no restrictions on the use of TE by the Linux open source
> community. We believe that leveraging the resources of the Linux community
> is the best way to develop robust security for Linux.

That seems like a clear statement that we can do what we like with it!

But Tom, if your company does want to go ahead with this patent plan then 
please do the following:

1)  Change that misleading web page.

2)  Let me know so I can remove all SE Linux code from Debian, remove it from 
my client's machines, and start work on a competing product.

3)  Make formal statements as to limitations of distribution etc, also 
clarify to what extent you want SE Linux code removed from the world.  Should 
I get the upstream maintainer of stat to remove the SE Linux code too?  Also 
you'll have to get it removed from LSM which is under the GPL, and you had 
better hope that the problems with building as a module are fixed quickly - 
you can't ship code that links with the kernel unless it's under the GPL.

PS  When does the patent expire?  If it's due to expire in 1 year or less we 
can just wait until it's gone...

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Dale Amon]

On Tue, Jun 04, 2002 at 11:59:46PM +0200, Russell Coker wrote:
> > On Monday 03 June 2002 04:13 pm, Haigh, Tom wrote:
> > > SELinux includes Type Enforcement technology developed and patented by
> > > the Secure Computing Corporation, who still holds rights to all
> > > commercial use of the technology.  Before a colo company, or anyone else
> > > uses the technology commercially, it will be necessary to negotiate a
> > > license with Secure Computing.  If anyone wants to do so, I can help get
> > > the ball rolling with our Legal and BD folks.
> 
> PS  When does the patent expire?  If it's due to expire in 1 year or less we 
> can just wait until it's gone...

I agree with Russell. This really had better be clarified. I believe it
is the intent of many on this list, myself included, to productize
systems based on SELinux.

It's either GPL or it ain't. Which is it? Do I drop my plans or continue?

PS: For my purposes, the BSD license will do just as well.




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux to GPL or not to GPL

[Admissions Office]

Ok - so how did all the work get done under the GPL? Where do things go from
here?
I mean we have all these smart people and work is now in the area of what
almost seems
like - "darn lawyers."   Hmmmmm..



> FYI, both Type Enforcement (TE) and Domain and Type Enforcement (DTE)
> are patented. Secure Computing Corp. patented TE, and TIS (Trusted
> Information Systems, now owned by Network Associates) patented DTE. The
> TE patent came first by several years. Lee Badger was one of the authors
> of the DTE patent.
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.
> Chief Scientist, WireX Communications, Inc. http://wirex.com
> Security Hardened Linux Distribution:       http://immunix.org
> Available for purchase: http://wirex.com/Products/Immunix/purchase.html
>
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: To confusing....

[Admissions Office]

Our company will not be using the SELinux for clients because, our
management has determined the situation is to confusing and will not place
our business at risk.

Pamela Patterson
OpenDNS Crop


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Dumb Questions

[Admissions Office]

Sorry - I did not mean to cause a storm..... Before we know it the CIA will
ask for Inter-agency cooperation :-)

Serious - My firneds and yes colo clients ask if we will "help" them install
and or maintain this OS. Its said, the Open GL Ec so what a dummy.  I just
asked.  Please - develop, forget me.  We can and will work this out. The
world has bigger problems.

Joop Cousteau


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.