An SELinux policy for Red Hat 9

An SELinux policy for Red Hat 9

[Bradley Chapman]

Does anyone know of a good place where I can start reading about how
to adapt, or obtain, an SELinux policy for Red Hat 9, running the
2.6.7 kernel with the SELinux userspace package dated 20040628-16?

TIA!

Brad Chapman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Russell Coker]

On Fri, 9 Jul 2004 06:17, Bradley Chapman <kakadu@gmail.com> wrote:
> Does anyone know of a good place where I can start reading about how
> to adapt, or obtain, an SELinux policy for Red Hat 9, running the
> 2.6.7 kernel with the SELinux userspace package dated 20040628-16?

Why would you want to do that?  Consider Fedora Core 1 as RHL 10, and FC2 as 
RHL 11 an just upgrade a couple of versions to get SE Linux support.

But if you REALLY want to use RHL 9, the current policy should work OK, you 
just have to make the appropriate changes to pam, logrotate, cron, coreutils, 
etc.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Bradley Chapman]

Mr. Coker,

On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote:
> 
> 
> On Fri, 9 Jul 2004 06:17, Bradley Chapman <kakadu@gmail.com> wrote:
> > Does anyone know of a good place where I can start reading about how
> > to adapt, or obtain, an SELinux policy for Red Hat 9, running the
> > 2.6.7 kernel with the SELinux userspace package dated 20040628-16?
> 
> Why would you want to do that?  Consider Fedora Core 1 as RHL 10, and FC2 as
> RHL 11 an just upgrade a couple of versions to get SE Linux support.

I would do that - except for the fact that the system I want to run
SELinux on is my personal system, and upgrading it is currently not
something I wish to do. I may want to upgrade to FC2 later, but right
now I want to stick with RHL9.

> 
> But if you REALLY want to use RHL 9, the current policy should work OK, you
> just have to make the appropriate changes to pam, logrotate, cron, coreutils,
> etc.

What sort of changes? Path changes? 

Thanks,

Brad

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Stephen Smalley]

On Fri, 2004-07-09 at 07:43, Bradley Chapman wrote:
> On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote:
> > But if you REALLY want to use RHL 9, the current policy should work OK, you
> > just have to make the appropriate changes to pam, logrotate, cron, coreutils,
> > etc.
> 
> What sort of changes? Path changes? 

I think Russell is referring to the userland patches for those
packages.  The current patches and SRPMS in our userland tree are drawn
from the Fedora Core development tree, so you are likely to run into
dependency problems building them on RH9.  And Fedora Core actually
includes _many_ other patched userland packages for SELinux; we only
maintain a core subset in our tree for reference purposes for people who
want to port to other distributions.  A few examples of patched userland
packages in Fedora Core that are not in our tree include gdm, usermode,
atd, and libuser, and there are many others.  There is also the issue of
glibc security awareness; the RH9 glibc won't enable secure mode upon
domain transitions, unlike the Fedora Core glibc.

If you truly are limited to using RH9, then you should likely grab an
older release of SELinux that was based on RH9.  But life will be
simpler if you can move to FC2.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Bradley Chapman]

Mr. Smalley,

On Fri, 09 Jul 2004 08:14:13 -0400, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> 
> 
> On Fri, 2004-07-09 at 07:43, Bradley Chapman wrote:
> > On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote:
> > > But if you REALLY want to use RHL 9, the current policy should work OK, you
> > > just have to make the appropriate changes to pam, logrotate, cron, coreutils,
> > > etc.
> >
> > What sort of changes? Path changes?
> 
> I think Russell is referring to the userland patches for those
> packages.  The current patches and SRPMS in our userland tree are drawn
> from the Fedora Core development tree, so you are likely to run into
> dependency problems building them on RH9.  And Fedora Core actually
> includes _many_ other patched userland packages for SELinux; we only
> maintain a core subset in our tree for reference purposes for people who
> want to port to other distributions.  A few examples of patched userland
> packages in Fedora Core that are not in our tree include gdm, usermode,
> atd, and libuser, and there are many others.  There is also the issue of
> glibc security awareness; the RH9 glibc won't enable secure mode upon
> domain transitions, unlike the Fedora Core glibc.

Oh.

I thought the patches mentioned were confined mostly to core system
utilities; I had no idea that FC2's modifications for SELlinux were
quite that extensive!

> 
> If you truly are limited to using RH9, then you should likely grab an
> older release of SELinux that was based on RH9.  But life will be
> simpler if you can move to FC2.

Well, in light of your recommendations, I will certainly consider such
a move now.
If I do decide to move to FC2, how difficult will it then become to
adapt the SELinux policy
to my needs?

> 
> --
> Stephen Smalley <sds@epoch.ncsc.mil>
> National Security Agency
> 

Brad

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Stephen Smalley]

On Fri, 2004-07-09 at 10:52, Bradley Chapman wrote:
> Well, in light of your recommendations, I will certainly consider such
> a move now.
> If I do decide to move to FC2, how difficult will it then become to
> adapt the SELinux policy
> to my needs?

No more difficult than usual; you just install the policy-sources RPM
and then customize and rebuild as desired.  You also likely want setools
and setools-gui.  However, in general, you may want to do some selective
updating of SELinux-related packages from the Fedora development tree
after installing FC2 in order to pick up the latest policy, which has
been reorganized and partitioned to support multiple policies.  This
also requires pulling in the SysVinit, libselinux, and policycoreutils
from the development tree.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: An SELinux policy for Red Hat 9

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 423 bytes --]

On Fri, 09 Jul 2004 15:52:00 BST, Bradley Chapman said:

> If I do decide to move to FC2, how difficult will it then become to
> adapt the SELinux policy
> to my needs?

This will of course depend on how divergent your needs are from either
the 'targeted' or 'strict' policies already in the tree.  The biggest issue
is whether you have a custom application that needs policy written (and
there's tools to assist in that).

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]