[opensuse-factory] Provide SELinux policies
Hi list. As you probably know openSUSE 11.1 comes enabled for SELinux but without policies ( http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement... ) which makes it pretty much useless if one doesn't write all the profiles oneself (which is kinda unlikely). I would like to suggest to provide profiles & tools as well so SELinux becomes fully usable out of the box. Considering that we currently have 7+ months until the 11.2 release it at least should be possible to get started (as in not covering 100% of all applications which could wait till 11.3 ;D). However, since it is a pretty complex field with which not very many people familiar, the foundation probably has to be laid by a few folks who should know that stuff from the inside out (e.g. the security team). Once the foundation is laid policies could be added step by step even by people who aren't absolute experts in that field (needless to say that those have to be thoroughly reviewed). Testing certainly can be done by all as well. To get started it might probably help to have a look at the RHEL & Fedora policies since they use SELinux for quite some time and most likely learnt more than just a thing or two during this time. I'm aware that it still would amount to quite some work but the sooner it starts the earlier it is done. Last but not least it's probably superfluous to say that your SLE customers would love working policies as well ;D So, what do you think? Regards, Stephan PS: Could someone please create a feature for this on f.o.o? I would do it myself but can't do so because I'm not an official member. Thanks a lot in advance. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat, Mar 21, 2009 at 06:20:08PM +0100, Stephan Kleine wrote:
Hi list.
As you probably know openSUSE 11.1 comes enabled for SELinux but without policies ( http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement... ) which makes it pretty much useless if one doesn't write all the profiles oneself (which is kinda unlikely).
I would like to suggest to provide profiles & tools as well so SELinux becomes fully usable out of the box. Considering that we currently have 7+ months until the 11.2 release it at least should be possible to get started (as in not covering 100% of all applications which could wait till 11.3 ;D).
However, since it is a pretty complex field with which not very many people familiar, the foundation probably has to be laid by a few folks who should know that stuff from the inside out (e.g. the security team). Once the foundation is laid policies could be added step by step even by people who aren't absolute experts in that field (needless to say that those have to be thoroughly reviewed). Testing certainly can be done by all as well.
To get started it might probably help to have a look at the RHEL & Fedora policies since they use SELinux for quite some time and most likely learnt more than just a thing or two during this time.
I'm aware that it still would amount to quite some work but the sooner it starts the earlier it is done. Last but not least it's probably superfluous to say that your SLE customers would love working policies as well ;D
So, what do you think?
That would be wonderful to have, are you willing to start creating these policies for others to work off of? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sat, Mar 21, 2009 at 6:28 PM, Greg KH <gregkh@suse.de> wrote:
That would be wonderful to have, are you willing to start creating these policies for others to work off of?
As I already said "the foundation probably has to be laid by a few folks who should know that stuff from the inside out (e.g. the security team)" which is way over the top of my expertise. After that foundation is laid I happily try to help with getting profiles for other applications. Also there is apparently already work ongoing in the security:SELinux repository Regards, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Stephan Kleine wrote:
On Sat, Mar 21, 2009 at 6:28 PM, Greg KH <gregkh@suse.de> wrote:
That would be wonderful to have, are you willing to start creating these policies for others to work off of?
As I already said "the foundation probably has to be laid by a few folks who should know that stuff from the inside out (e.g. the security team)" which is way over the top of my expertise.
After that foundation is laid I happily try to help with getting profiles for other applications.
Also there is apparently already work ongoing in the security:SELinux repository
Regards, Stephan
Quite a while ago, I had a look at SEEdit http://seedit.sourceforge.net which seemed a nice tick box GUI. Though it looked easy to use, I was not sure of the result of enabling many of the policies and I didn't spend any more time with it. There are a number of presentations referred to at the above URL which may help anyone with time to devote. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Stephan Kleine wrote:
As I already said "the foundation probably has to be laid by a few folks who should know that stuff from the inside out (e.g. the security team)" which is way over the top of my expertise.
After that foundation is laid I happily try to help with getting profiles for other applications.
Also there is apparently already work ongoing in the security:SELinux repository
Hi! I'm the one responsible for security:SELinux repository. Packages there could be considered as the "official" ones. In openSUSE 11.1 and SLE we shipped only libraries. Tools and policies are available only from this repository. Package selinux-policy with its 3 subpackages (mcs,mls,standard) are reference policies from Tresys[1]. I will add the SEEdit package mentioned in the other mail in a few moments ... [1] http://oss.tresys.com/projects/refpolicy/ -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9, CR prusnak[at]suse.cz http://www.suse.cz -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
Greg KH -
Pavol Rusnak -
Sid Boyce -
Stephan Kleine