FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-02-2011, 02:50 PM
John Doe
 
Default Selinux extra packages and compiled apps

Hey,

I am in the process of trying (and convincing my colleagues) to learn/setup

selinux as we switch to 6.0...
Quick question: do I really "need" to install the setools/setroubleshoot

packages or can I live without them?* They want to install 80 packages

(gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing

all sort of graphical tools/libs on my lean servers.

Can I just install setools-console by example?

Is there a console only equivalent for setroubleshoot?

If you know a must-have "selinux for dummies" like howto, apart from

Redhat/Fedora doc or CentOS wiki, I am interested!Especially if it covers the case of many non-standard applications (the
policy here is to use compiled apaches/php/mencoder/ffmpeg/..., all
installed (with their data/logs) in a "/OURDIR" directory (but still
use /var/run for the pids and a few others depending on the app),
init.d scripts, logrotates, etc...


Thx,
JD

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-02-2011, 04:15 PM
R P Herrold
 
Default Selinux extra packages and compiled apps

On Fri, 2 Sep 2011, John Doe wrote:

> I am in the process of trying (and convincing my colleagues) to learn/setup
>
> selinux as we switch to 6.0...
> Quick question: do I really "need" to install the setools/setroubleshoot
> packages or can I live without them?* They want to install 80 packages
> (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing
> all sort of graphical tools/libs on my lean servers.

> Can I just install setools-console by example?

What does experiemntation with yum in a testing mode indicate
with the packageset on your box - dependency trees have an
effectively infinite number of permutations

> Is there a console only equivalent for setroubleshoot?
>
> If you know a must-have "selinux for dummies" like howto, apart from
> Redhat/Fedora doc or CentOS wiki

What is wrong with the article at:
http://wiki.centos.org/HowTos/SELinux

as the timestamps will indicate another CentOS dev team member
pointed out some deficiencies to me in it last night, and I
was working on it for a couple of hours, and then a docs group
member did style cleanups behind me

It is not a completed work, but it is now relevant to CentOS
6

It also covers writing custom rules for local 'in house'
applications

I also know that the CentOS Planet RSS aggregator carried a
rather long teaching rant I wrote a while back
http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html

seeming right before I injured my ankle, from the datestamp --
probably a bad karhma reward from the internet dieties and
sprirts for my attitidinal expectation that technical people
do research before asking

yeah -- I am just a sore head -- that's it

-- Russ herrold
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-06-2011, 01:03 PM
John Doe
 
Default Selinux extra packages and compiled apps

Russ herrold wrote:
>> Quick question: do I really "need" to install the setools/setroubleshoot
>> packages or can I live without them?* They want to install 80 packages
>> (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid installing
>> all sort of graphical tools/libs on my lean servers.
>> Can I just install setools-console by example?
> What does experiemntation with yum in a testing mode indicate
> with* the packageset on your box - dependency trees have an
> effectively infinite number of permutations

My question was more "do I really need this package to work with selinux?"
I installed setools-console and so far it seems enough...
So, can I skip setroubleshoot?

>> If you know a must-have "selinux for dummies" like howto, apart from
>> Redhat/Fedora doc or CentOS wiki
> What is wrong with the article at:
> http://wiki.centos.org/HowTos/SELinux

Nothing wrong; I already read it, and will read the redhat doc...
Just looking for all the doc I can find on the subject.
And maybe also for the hidden secret magic button that will auto-write
the hundreds custom policies we will need...
Creating a custom policy for an apache to use a non standard rootdir or
port seems indeed easy with audit2allow...* But several of our servers
are more or less 10% standard (rpm based) and 90% custom, with dozens
of apps/scripts listening on dozens non standard ports, sockets, accessing
many files here and there...
So the task is a bit daunting.

Thx,
JD

PS: Any one found/made a Zimbra policy module?* ^_^
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-06-2011, 02:09 PM
Daniel J Walsh
 
Default Selinux extra packages and compiled apps

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/02/2011 10:50 AM, John Doe wrote:
> Hey,
>
> I am in the process of trying (and convincing my colleagues) to
> learn/setup
>
> selinux as we switch to 6.0... Quick question: do I really "need"
> to install the setools/setroubleshoot
>
> packages or can I live without them? They want to install 80
> packages
>
> (gnome stuff, gstreamer, gtk, tcl/tk...) and I would like to avoid
> installing
>
> all sort of graphical tools/libs on my lean servers.
>
> Can I just install setools-console by example?
>
> Is there a console only equivalent for setroubleshoot?
>
> If you know a must-have "selinux for dummies" like howto, apart
> from
>
> Redhat/Fedora doc or CentOS wiki, I am interested!Especially if it
> covers the case of many non-standard applications (the policy here
> is to use compiled apaches/php/mencoder/ffmpeg/..., all installed
> (with their data/logs) in a "/OURDIR" directory (but still use
> /var/run for the pids and a few others depending on the app),
> init.d scripts, logrotates, etc...
>
>
> Thx, JD
>
> _______________________________________________ CentOS mailing
> list CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

setools and setroubleshoot are not required to be run by SELinux.

setroubleshoot-server is supposed to be able to be used on server
machine and able to send email on errors that it sees.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5mKZ8ACgkQrlYvE4MpobNaogCgy0vbvm21zZ r/sR2w2206oKOP
dScAoMbCHjDHROJjOny1pfl+W7wsQnmk
=MoKe
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-06-2011, 05:59 PM
Jim Wildman
 
Default Selinux extra packages and compiled apps

On Tue, 6 Sep 2011, John Doe wrote:


Nothing wrong; I already read it, and will read the redhat doc...
Just looking for all the doc I can find on the subject.
And maybe also for the hidden secret magic button that will auto-write
the hundreds custom policies we will need...
Creating a custom policy for an apache to use a non standard rootdir or
port seems indeed easy with audit2allow...* But several of our servers
are more or less 10% standard (rpm based) and 90% custom, with dozens
of apps/scripts listening on dozens non standard ports, sockets, accessing
many files here and there...
So the task is a bit daunting.



This illustrates a point I was making to Russ offlist...the only way I
see to implement selinux in an 'enterprise' environment is to do it on a
major version revision. And you will need buy in up to the 'C' level to
beat back the murderous hordes of programmers and admins whose stuff
will 'break'. Or you sign up to an endless treadmill of piecemeal
selinux admin.

(IMO selinux is great...)

----------------------------------------------------------------------
Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.net
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-07-2011, 09:49 AM
John Doe
 
Default Selinux extra packages and compiled apps

From: Daniel J Walsh <dwalsh@redhat.com>

> setools and setroubleshoot are not required to be run by SELinux.
> setroubleshoot-server is supposed to be able to be used on server
> machine and able to send email on errors that it sees.

I installed setools-console since it was small.
And, instead of setroubleshoot-server, will maybe write a small script
to send emails when there are AVC messages...

Thx,
JD
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org