Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Daniel J Walsh]

Currently Symantec requires SELinux be disabled, claiming there is
conflicts in the kernel modules.

http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux

As the customer wants to take advantage of certain  SELinux features
like sVirt for VMs and Docker Containers, this conflict is coming to a head.

Is anyone familiar with whether or not this is a real conflict or just
something assumed by Symantec?

The customer like Symantec's ability to do intrusion detection and
remote logging and configuration of CSB. 

Bottom line the customer wants both.

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Casey Schaufler]

On 12/19/2014 8:41 AM, Daniel J Walsh wrote:
> Currently Symantec requires SELinux be disabled, claiming there is
> conflicts in the kernel modules.
>
> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux

Based on the fact they are also disparaging AppArmor and a couple of
out-of-tree security modules, and that SELinux=permissive is not sufficient
I'm assuming it's an out-of-tree security module.


>
> As the customer wants to take advantage of certain  SELinux features
> like sVirt for VMs and Docker Containers, this conflict is coming to a head.
>
> Is anyone familiar with whether or not this is a real conflict or just
> something assumed by Symantec?
>
> The customer like Symantec's ability to do intrusion detection and
> remote logging and configuration of CSB. 
>
> Bottom line the customer wants both.

It would help if someone from the SELinux community would comment on
the v18 concurrent security modules patches. Moving that work forward
is your best step toward getting what you need. Of course, v18 doesn't
get you all the way, but it gets closer.

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[eric gisse]

> Why disabling SELinux is important? Because both SELinux and CSP are doing the same thing, except CSP does it better!

I wonder how Symantec backs that claim up.

On Fri, Dec 19, 2014 at 10:41 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Currently Symantec requires SELinux be disabled, claiming there is
> conflicts in the kernel modules.
>
> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
>
> As the customer wants to take advantage of certain  SELinux features
> like sVirt for VMs and Docker Containers, this conflict is coming to a head.
>
> Is anyone familiar with whether or not this is a real conflict or just
> something assumed by Symantec?
>
> The customer like Symantec's ability to do intrusion detection and
> remote logging and configuration of CSB.
>
> Bottom line the customer wants both.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Daniel J Walsh]

On 12/19/2014 02:44 PM, eric gisse wrote:
>> Why disabling SELinux is important? Because both SELinux and CSP are doing the same thing, except CSP does it better!
> I wonder how Symantec backs that claim up.

Well that might be the same case in certain things, but when it comes to
multi-tenant situations, with MCS Separation. CSP has no answer.
>
> On Fri, Dec 19, 2014 at 10:41 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Currently Symantec requires SELinux be disabled, claiming there is
>> conflicts in the kernel modules.
>>
>> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
>>
>> As the customer wants to take advantage of certain  SELinux features
>> like sVirt for VMs and Docker Containers, this conflict is coming to a head.
>>
>> Is anyone familiar with whether or not this is a real conflict or just
>> something assumed by Symantec?
>>
>> The customer like Symantec's ability to do intrusion detection and
>> remote logging and configuration of CSB.
>>
>> Bottom line the customer wants both.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Casey Schaufler]

On 12/19/2014 11:44 AM, eric gisse wrote:
>> Why disabling SELinux is important? Because both SELinux and CSP are doing the same thing, except CSP does it better!
> I wonder how Symantec backs that claim up.

Emphatic assertion. It's a very popular form of argument in the security realm.

>
> On Fri, Dec 19, 2014 at 10:41 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Currently Symantec requires SELinux be disabled, claiming there is
>> conflicts in the kernel modules.
>>
>> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
>>
>> As the customer wants to take advantage of certain  SELinux features
>> like sVirt for VMs and Docker Containers, this conflict is coming to a head.
>>
>> Is anyone familiar with whether or not this is a real conflict or just
>> something assumed by Symantec?
>>
>> The customer like Symantec's ability to do intrusion detection and
>> remote logging and configuration of CSB.
>>
>> Bottom line the customer wants both.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Paul Moore]

On Friday, December 19, 2014 09:59:05 AM Casey Schaufler wrote:
> On 12/19/2014 8:41 AM, Daniel J Walsh wrote:
> > Currently Symantec requires SELinux be disabled, claiming there is
> > conflicts in the kernel modules.
> > 
> > http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
> 
> Based on the fact they are also disparaging AppArmor and a couple of
> out-of-tree security modules, and that SELinux=permissive is not sufficient
> I'm assuming it's an out-of-tree security module.

I don't ever recall seeing a SCSP patchset.  I also couldn't find much in the 
way of Linux integration details on their website, mostly just marketing 
materials.

> > As the customer wants to take advantage of certain SELinux features
> > like sVirt for VMs and Docker Containers, this conflict is coming to a
> > head.
> > 
> > Is anyone familiar with whether or not this is a real conflict or just
> > something assumed by Symantec?

Other than Symantec saying you can't have both running at the same time, I 
don't even know what the conflict is ... I'm sure we can offer some guesses, 
but that isn't very helpful.

> > The customer like Symantec's ability to do intrusion detection and
> > remote logging and configuration of CSB.
> > 
> > Bottom line the customer wants both.
> 
> It would help if someone from the SELinux community would comment on
> the v18 concurrent security modules patches. Moving that work forward
> is your best step toward getting what you need. Of course, v18 doesn't
> get you all the way, but it gets closer.

This assumes that the issue is due to LSM hook conflicts; not an unreasonable 
assumption, but still just a guess.

As for the LSM stacking patches, it's on my list, along with a mountain of 
other things (now with more audit, which is horrible in its own special way).  
I can promise you that I'm not ignoring your patches any worse than I'm 
ignoring anyone else's patches :)

-- 
paul moore
www.paul-moore.com

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Miroslav Grepl]

On 12/19/2014 08:54 PM, Daniel J Walsh wrote:
> On 12/19/2014 02:44 PM, eric gisse wrote:
>>> Why disabling SELinux is important? Because both SELinux and CSP are doing the same thing, except CSP does it better!
>> I wonder how Symantec backs that claim up.
> Well that might be the same case in certain things,
Yes, but really only in certain things.
>   but when it comes to
> multi-tenant situations, with MCS Separation. CSP has no answer.
>> On Fri, Dec 19, 2014 at 10:41 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>>> Currently Symantec requires SELinux be disabled, claiming there is
>>> conflicts in the kernel modules.
>>>
>>> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
>>>
>>> As the customer wants to take advantage of certain  SELinux features
>>> like sVirt for VMs and Docker Containers, this conflict is coming to a head.
>>>
>>> Is anyone familiar with whether or not this is a real conflict or just
>>> something assumed by Symantec?
>>>
>>> The customer like Symantec's ability to do intrusion detection and
>>> remote logging and configuration of CSB.
>>>
>>> Bottom line the customer wants both.
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>
>>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: Some of our customers are looking to turn on SELinux but they also want to use CSP from Symantec

[Daniel J Walsh]

On 01/06/2015 04:45 AM, Miroslav Grepl wrote:
> On 12/19/2014 08:54 PM, Daniel J Walsh wrote:
>> On 12/19/2014 02:44 PM, eric gisse wrote:
>>>> Why disabling SELinux is important? Because both SELinux and CSP
>>>> are doing the same thing, except CSP does it better!
>>> I wonder how Symantec backs that claim up.
>> Well that might be the same case in certain things,
> Yes, but really only in certain things.
>>   but when it comes to
>> multi-tenant situations, with MCS Separation. CSP has no answer.
>>> On Fri, Dec 19, 2014 at 10:41 AM, Daniel J Walsh <dwalsh@redhat.com>
>>> wrote:
>>>> Currently Symantec requires SELinux be disabled, claiming there is
>>>> conflicts in the kernel modules.
>>>>
>>>> http://www.symantec.com/connect/forums/does-scsp-agent-support-selinux
>>>>
>>>> As the customer wants to take advantage of certain  SELinux features
>>>> like sVirt for VMs and Docker Containers, this conflict is coming
>>>> to a head.
>>>>
>>>> Is anyone familiar with whether or not this is a real conflict or just
>>>> something assumed by Symantec?
>>>>
>>>> The customer like Symantec's ability to do intrusion detection and
>>>> remote logging and configuration of CSB.
>>>>
>>>> Bottom line the customer wants both.
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
>
BTW, we have heard back from Semantec and they plan on supporting
SELinux in a soon to be released update.

We shall see.