selinux

selinux

[Harald Hoyer]

[-- Attachment #1: Type: text/plain, Size: 133 bytes --]

In extras there is udev_selinux. From where is this supposed to be called?

Attached is a totally untested patch to make it compile.

[-- Attachment #2: udev-024-selinux.patch --]
[-- Type: text/x-patch, Size: 1183 bytes --]

--- udev-024/extras/selinux/Makefile.sel	2004-04-05 17:59:22.640630568 +0200
+++ udev-024/extras/selinux/Makefile	2004-04-05 17:59:48.421711248 +0200
@@ -54,6 +54,7 @@
 
 
 install: all
+	$(INSTALL_PROGRAM) -D $(PROG) $(DESTDIR)$(sbindir)/$(PROG)
 
 uninstall: 
 
--- udev-024/extras/selinux/udev_selinux.c.sel	2004-04-03 00:47:28.000000000 +0200
+++ udev-024/extras/selinux/udev_selinux.c	2004-04-05 17:59:05.962166080 +0200
@@ -12,17 +12,32 @@
 
 #ifdef LOG
 unsigned char logname[LOGNAME_SIZE];
-void log_message(int level, const char *format, ...)
+static int debug;
+void log_message (int level, const char *format, ...)
 {
-	va_list args;
+	va_list	args;
 
-	if (!udev_log)
+	if (!debug && level == LOG_DEBUG)
 		return;
 
-	va_start(args, format);
-	vsyslog(level, format, args);
-	va_end(args);
+	va_start (args, format);
+	{
+		static int logging_init = 0;
+		if (!logging_init) {
+			/*
+			 * klibc does not have LOG_PID.
+			 */
+			snprintf(logname, 32, "udev_selinux[%d]", getpid());
+			openlog (logname, 0, LOG_DAEMON);
+			logging_init = 1;
+		}
+
+		vsyslog(level, format, args);
+	}
+	va_end (args);
+	return;
 }
+
 #endif
 
 void selinux_add_node(char *filename)

SELinux

[khalid fahad]

[-- Attachment #1.1: Type: text/plain, Size: 785 bytes --]

Hi,
I have a question about SELiux. the question is (  Using the syntax from
sesearch output , provide a list of rules that you would create to confine
file access for a corporate finance application (e.g. accounts
payable/receivable, payroll). You should create type(s) for both the
process(es) and files. Ensure that you consider the wide variety of types
of data that this application would need to access).

i run the command (sesearch -A I grep -w '' ftpd_ t public content_ t'' )
and i get:-
allow ftpd_t  public_content_t : dir { ioctl read getattr lock search open
} ;
allow ftpd_t  public_content_t :  lnk file  { read getattr } ;
allow ftpd_t  public_content_t :  file { ioctl read getattr lock open } ;
can you help me to understand the concept of this question ?
best reg,

[-- Attachment #1.2: Type: text/html, Size: 1402 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

SELinux

[Justin Mattock]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

Thanks for the info on how SELinux and audit run in the situation of power
conservativeness, and handling; very interesting about applications going
into a loop. or power hungry CPU's.

   Justin P. Mattock

[-- Attachment #2: Type: text/html, Size: 231 bytes --]

SeLinux

[Azeem Gopalani]

Hello.

	I'm Azeem, and I'm extremely impressed by the amount of activity 
on this mailing list. I'm a Linux Newbie compared to you fellows, though I 
do run and administrate a box of my own running Slackware 8.0. I'm 
thinking of setting up a second system and contributing in some way to the 
project, though I have no idea how, and know less than a quarter of what 
you're talking about. I still believe introductions are a Good Thing(TM), 
so that's me and information pertinent to you all.

	You may now proceed to brilliantly lambaste me.

			--Azeem

-- 
Death twitches my ear. 
"Live," he says, "I am coming."  
~Virgil
--
                             Azeem Gopalani
                                 captain@obscure.org


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

selinux

[Menon, Sunanda R]

I am trying to get selinux patch for red hat Linux 2.4.18. I could not find
the tar file at the NSA site. Can anyone tell me where I can get it?
Thanks

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux

[Howard Holm]

The SELinux web site at nsa.gov provides only the current release and
"historically significant" old releases.  Frankly I don't recommend
using an old release because the newer releases contain important bug
fixes, improvements, and old releases are often are incompatible with
newer tools and utilities.  If you must have an old release, the SELinux
site at SourceForge maintains a public CVS tree which you can use to get
the old release.  See http://sourceforge.net/cvs/?group_id=21266

On Wed, 2003-03-19 at 19:29, Menon, Sunanda R wrote:
> I am trying to get selinux patch for red hat Linux 2.4.18. I could not find
> the tar file at the NSA site. Can anyone tell me where I can get it?
> Thanks

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELinux

[Shaun Savage]

I have been customizing the policy now for about three months.  If you 
think of writing new policy as designing a state machine thing are easier.
the questions you need to ask is
1> How do you get to the execution of the program.  What domain should 
you allow to start this program?
2> What protections are required? This is the biggest issue.  Is there a 
  log file?  Does the program acceses any sockets? Is there user 
communcation?  Detail knowledge of the application is needed.  I tend to 
be paranoid so I create too many sub domains and make the policy difficult.
3> What programs are allowed to access this application data?

Read the policy/macros.te file
The linux/security/selinux/include/flask/*.h
av_permissions.h gives the bit pattern of all the permissions
av_perm_to_string.h & common_perm_to_string.h is some of the string
    permissions
class_to_string.h is most of the objects
flask.h gives the object classes

The main thing is to understand the application. Know what files, 
sockets, are being accesed and how.

I do agree that there needs to be a more documentation, but if there 
isn't the you can earn big dollars if you know it, I hope ;-).

Shaun Savage


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux

[Stephen Smalley]

On Wed, 20 Feb 2002, Shaun Savage wrote:

> The linux/security/selinux/include/flask/*.h
> av_permissions.h gives the bit pattern of all the permissions
> av_perm_to_string.h & common_perm_to_string.h is some of the string
>     permissions
> class_to_string.h is most of the objects
> flask.h gives the object classes

The definitions in these files are automatically generated from
configuration files.  A policy developer shouldn't need to look directly
at these header files - you can simply look at the security_classes and
access_vectors configuration files.  They are located in the flask
subdirectory of the SELinux module (lsm*/security/selinux/flask) and are
installed into /usr/local/selinux/flask for use in compiling the policy
configuration.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SELinux

[David Caplan]

I would also add that one of the most valuable things to look at is the log
messages.  They make it real easy to find things that you've missed.  Of
course, just because you see a deny in the log doesn't mean you necessarily
want to allow it.

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
Behalf Of Shaun Savage
Sent: Thursday, February 21, 2002 12:27 AM
To: selinux@tycho.nsa.gov
Subject: SELinux


I have been customizing the policy now for about three months.  If you
think of writing new policy as designing a state machine thing are easier.
the questions you need to ask is
1> How do you get to the execution of the program.  What domain should
you allow to start this program?
2> What protections are required? This is the biggest issue.  Is there a
  log file?  Does the program acceses any sockets? Is there user
communcation?  Detail knowledge of the application is needed.  I tend to
be paranoid so I create too many sub domains and make the policy difficult.
3> What programs are allowed to access this application data?

Read the policy/macros.te file
The linux/security/selinux/include/flask/*.h
av_permissions.h gives the bit pattern of all the permissions
av_perm_to_string.h & common_perm_to_string.h is some of the string
    permissions
class_to_string.h is most of the objects
flask.h gives the object classes

The main thing is to understand the application. Know what files,
sockets, are being accesed and how.

I do agree that there needs to be a more documentation, but if there
isn't the you can earn big dollars if you know it, I hope ;-).

Shaun Savage


--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.