SELinux ISO...

SELinux ISO...

[Luís Miguel Silva]

Hello everybody,

Why isnt there a ISO of the SELinux available?

Is the "groups" policy not to make an ISO available?

I just subscribed this list a couple a days ago, so, im sorry if my
question is kind of stupid.

Best regards,
+-----------------------------------------
| Luís Miguel Silva
| Network Administrator@ ISPGaya.pt
| Rua António Rodrigues da Rocha, 291/341
| Sto. Ovídio • 4400-025 V. N. de Gaia
| Portugal
| T: +351 22 3745730/3/5  F: +351 22 3745738
| G: +351 93 6371253      E: lms@ispgaya.pt
| H: http://lms.ispgaya.pt/
+-----------------------------------------



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[adf--at--Code511.com]

Le 20/04/03 5:06 PM, « Luís Miguel Silva » <lms@ispgaya.pt> a écrit :

> Hello everybody,
> 
> Why isnt there a ISO of the SELinux available?
> 
> Is the "groups" policy not to make an ISO available?
> 
> I just subscribed this list a couple a days ago, so, im sorry if my
> question is kind of stupid.
Read FAQ : http://www.nsa.gov/selinux/faq.html#I6

"Yes.  You actually need to have an existing Linux system."
SeLinux is a number utilities with enhanced security functionality, iso
would be useless.

Alexandre Da Fonseca aka Deepquest
"If you know the enemy and you know yourself, you
need not fear the result of a hundred battles."
                                           --Sun Tzu
-------------------------------------------------------------
Code511            
http://www.code511.com
PGP DH/DSS http://www.code511.com/pgp   fax :+33-14225-8590
-------------------------------------------------------------



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[Russell Coker]

On Mon, 21 Apr 2003 01:06, Luís Miguel Silva wrote:
> Why isnt there a ISO of the SELinux available?

So far the only person to work on this is Brian May.  He has paused in his 
work due to issues of bandwidth etc (transferring ISOs over modem links is 
really painful) and due to having other things to work on.

It will get done eventually.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[Joshua Brindle]

>On Mon, 21 Apr 2003 01:06, Luís Miguel Silva wrote:
>> Why isnt there a ISO of the SELinux available?
>
>So far the only person to work on this is Brian May.  He has paused in
his 
>work due to issues of bandwidth etc (transferring ISOs over modem
links is 
>really painful) and due to having other things to work on.
>
>It will get done eventually.
>

http://sourceforge.net/project/showfiles.php?group_id=21266&release_id=122117
there are iso's available there, i think they are based off redhat and
they are sorta old
--
I think there is a commercial effort to provide these called Westcam(?)
I can't 
find their url offhand but if you search the archives of this list you
should find
them.
--
I also have a project which just started up called Hardened Gentoo, one
of the
subprojects is SELinux integration, once we have usable policies and
everything
we'll have an SELinux kernel on the gentoo install cd. The SELinux
patches userland
patches and kernel are already in our package tree (called portage). 

SELinux on Gentoo isn't yet usable without the kernel in development
mode, but
it's quickly getting there, I'll make some sort of announcement when
it's really ready.

I'm not trying to advirtise, sorry if it seems that way but if you are
interested in the 
project check out http://cvs.gentoo.org/~method . Thanks


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[Russell Coker]

On Mon, 21 Apr 2003 14:29, Joshua Brindle wrote:
> http://sourceforge.net/project/showfiles.php?group_id=21266&release_id=1221
>17 there are iso's available there, i think they are based off redhat and
> they are sorta old

Have you tried them out?

AFAIK no-one has yet solved all the issues involved in having a full SE Linux 
installation process with all files being labeled all the time.  This would 
require that the root media for the installation (floppy disk image or 
CD-ROM) have all it's files labeled with PSID's so that all programs get the 
right type.

A CD-ROM that just does a regular Linux install with a SE kernel isn't 
particularly exciting.

I did some work that leads toward this when the SE Linux kernel code 
initialised itself on loading the initrd, and I had an initrd with a mini 
policy installed (about 30K compressed from memory) to ensure that everything 
it did was in the correct context.  Some policy changes related to this were 
incorporated in the main policy for init.te, kernel.te, and the sysadm_t and 
user_t policies.  I posted one patch about this on 2002/Sep/10, and some 
other small patches went in around that time.

> --
> I think there is a commercial effort to provide these called Westcam(?)
> I can't
> find their url offhand but if you search the archives of this list you
> should find
> them.

Mark Westerman.

> SELinux on Gentoo isn't yet usable without the kernel in development
> mode, but
> it's quickly getting there, I'll make some sort of announcement when
> it's really ready.

What problems are you having?  Post here and I'm sure we can offer some useful 
advice.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[Joshua Brindle]

>On Mon, 21 Apr 2003 14:29, Joshua Brindle wrote:
>>
http://sourceforge.net/project/showfiles.php?group_id=21266&release_id=1221

>>17 there are iso's available there, i think they are based off redhat
and
>> they are sorta old
>
>Have you tried them out?

taken a look at them, i know it labels the filesystem and loads policy,
etc during install
thats about as far as i got before getting bored with it.


>AFAIK no-one has yet solved all the issues involved in having a full
SE Linux 
>installation process with all files being labeled all the time.  This
would 
>require that the root media for the installation (floppy disk image or

>CD-ROM) have all it's files labeled with PSID's so that all programs
get the 
>right type.
>
>A CD-ROM that just does a regular Linux install with a SE kernel isn't

>particularly exciting.
>
>I did some work that leads toward this when the SE Linux kernel code 
>initialised itself on loading the initrd, and I had an initrd with a
mini 
>policy installed (about 30K compressed from memory) to ensure that
everything 
>it did was in the correct context.  Some policy changes related to
this were 
>incorporated in the main policy for init.te, kernel.te, and the
sysadm_t and 
>user_t policies.  I posted one patch about this on 2002/Sep/10, and
some 
>other small patches went in around that time.

won't the filesystem already be labeled? i don't understand the need
for an initrd.

>> --
>> I think there is a commercial effort to provide these called
Westcam(?)
>> I can't
>> find their url offhand but if you search the archives of this list
you
>> should find
>> them.
>
>Mark Westerman.

right, his site westcam.com doesn't appear to be responding..

>> SELinux on Gentoo isn't yet usable without the kernel in
development
>> mode, but
>> it's quickly getting there, I'll make some sort of announcement
when
>> it's really ready.
>
>What problems are you having?  Post here and I'm sure we can offer
some useful 
>advice.

We are looking at some logistical issues now. First we need a good way
of transporting policies. Portage does all the package downloads itself,
and limited files can be stored directly in portage, we are looking into
distributing application specific policies with the accompanying
application rather than having a giant policy package with everything
possible.

Second, we are looking into labeling files before they are installed to
the live filesystem and then moving them while preserving permissions.
One thing we have discussed (and will probably be working on soon) is
adding an argument to setfiles to tell it where to pretend the root is.

Portage compiles and installes apps in a separate part of the
filesystem (/var/tmp/portage/app-ver/) to be exact, and then installs
everything to /var/tmp/portage/app-ver/image and gets a manifest of the
package contents for use later when upgrading or removing. Our idea is
to label all the files in /var/tmp/portage/app-ver/image/ as if they
were on / using the base-policy and the application specific policy and
then move them to the live filesystem while preserving permissions. 

We have not started this yet, we've done some preliminary
experimentation but we still don't have a strong base-policy so we are
working to get that done first.

Any insight or previous experience in this would be greatly
appreciated. :)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux ISO...

[Russell Coker]

On Tue, 22 Apr 2003 01:02, Joshua Brindle wrote:
> won't the filesystem already be labeled? i don't understand the need
> for an initrd.

Previously the policy needed to be loaded on the initrd for best operation.  
Since then things have changed, but there is still some conveniant support 
for having a small policy and then boot-strapping something bigger.

You can set things up without needing an initrd if you are compiling a kernel 
for exactly the hardware you are using.

> We are looking at some logistical issues now. First we need a good way
> of transporting policies. Portage does all the package downloads itself,
> and limited files can be stored directly in portage, we are looking into
> distributing application specific policies with the accompanying
> application rather than having a giant policy package with everything
> possible.

Yes, I've been dealing with the same issue for Debian.  So far I have decided 
not to bundle policy with application packages.

> Second, we are looking into labeling files before they are installed to
> the live filesystem and then moving them while preserving permissions.
> One thing we have discussed (and will probably be working on soon) is
> adding an argument to setfiles to tell it where to pretend the root is.

I've been thinking about the same things for installation purposes.

Also I've been thinking of making the core setfiles code into a shared object 
so it can be easily called from other applications in a manner similar to the 
"setfiles -s" mode of operation (IE labelling individual files not entire 
filesystems).  Then I would add a way of specifying both the file name and 
the name it is installed on the file system.

So installing a new file can have the following proceedure:
1)  Create /bin/bash.tmp .
2)  Tell setfiles to label /bin/bash.tmp as /bin/bash would be labeled.
3)  Rename it to the correct name.

> Portage compiles and installes apps in a separate part of the
> filesystem (/var/tmp/portage/app-ver/) to be exact, and then installs
> everything to /var/tmp/portage/app-ver/image and gets a manifest of the
> package contents for use later when upgrading or removing. Our idea is
> to label all the files in /var/tmp/portage/app-ver/image/ as if they
> were on / using the base-policy and the application specific policy and
> then move them to the live filesystem while preserving permissions.

Of course a statically linked setfiles that could be hard-linked to 
/var/tmp/portage/app-ver before being run in a chroot() setup could do well.

For copying files the only special thing you have to do is to use "cp -a" and 
use the SE Linux modified coreutils.


PS  When you get this done you should run a SE Linux play machine.  At FOSDEM 
people couldn't get to the Gentoo stand for most of the show because of the 
crowd at the Debian stand looking at the SE play machine.  ;)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.