FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-13-2011, 03:00 PM
"Josep M. Gasso"
 
Default Selinux on a Squeeze Desktop

Hello.

I would like ask if someone have in his home a Desktop/Server machine
what runs selinux, my Debian Squeeze machine is always on and is a
mailserver too.

So, I would like if there is any desktop problems with selinux, and if
speed is also affected.

Any advice will be appreciated, I plan install selinux in a few days.

Thanks
Josep



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1300032017.3552.2.camel@mail.navegants.net">http://lists.debian.org/1300032017.3552.2.camel@mail.navegants.net
 
Old 03-13-2011, 05:55 PM
Patrick Bartek
 
Default Selinux on a Squeeze Desktop

--- On Sun, 3/13/11, Josep M. Gasso <websurfer@navegants.com> wrote:

> I would like ask if someone have in his home a
> Desktop/Server machine
> what runs selinux, my Debian Squeeze machine is always on
> and is a
> mailserver too.

I run Fedora. (And have since FC3.) SELinux is installed by default. It has problems. Not many, but enough to be annoying and require "fixes.". I keep it in "Permissive" mode on my home system, which means it logs security issues, but doesn't prevent them. Uninstalling it is next to impossible, since everything on the system has SELinux as a dependency. It (SELinux) is one of the reasons I'm switching to Debian. At least with Debian, I have the OPTION not to install it. I won't be.

> So, I would like if there is any desktop problems with
> selinux, and if
> speed is also affected.

The one problem that I've experienced with SELinux over several versions of Fedora is SELinux will prevent updating (upgrading in Debian-speak) a newly installed or upgraded (dist-upgrade in Debian) system. However, if you disable or put SELinux in permissive, after the system update, it no longer has issues with additional updates. It's a strange beast.

SELinux is fairly efficient. I doubt that it would affect system performance all that much. Although, I've never run any tests. But to run it effectively, you need to be very knowlegeable in its use and configuration. Installing and forgetting won't cut it. Do the research. Study the manuals. Etc.

> Any advice will be appreciated, I plan install selinux in a
> few days.

I consider SELinux a waste on a "home" system. SELinux is like suspenders: If you have a good belt, you don't need the suspenders. However, in a commercial/business, workstation/server set up, and you're the security guy, I would run it. Even with the problems: better safe than sorry. Or fired. ;-)

Before doing the "real" install, I suggest you use a "test" system first. Like I said above: SELinux is pervasive and unistalling, if it doesn't suit you, might be a problem, or impossible. A dual boot is best, but a VM would be good enough, but not perfect, for an evaluation.

FYI: I'm not an SELinux "expert." I took one look at the "official" administrative manual, and said "No, thanks." What would you expect from something that was developed by a insanely paranoid government agency? ;-)

B


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 538027.54535.qm@web31003.mail.mud.yahoo.com">http://lists.debian.org/538027.54535.qm@web31003.mail.mud.yahoo.com
 
Old 03-13-2011, 06:47 PM
shawn wilson
 
Default Selinux on a Squeeze Desktop

On Sun, Mar 13, 2011 at 12:00 PM, Josep M. Gasso <websurfer@navegants.com> wrote:

Hello.



I would like ask if someone have in his home a Desktop/Server machine

what runs selinux, my Debian Squeeze machine is always on and is a

mailserver too.



So, I would like if there is any desktop problems with selinux, and if

speed is also affected.



Any advice will be appreciated, I plan install selinux in a few days.




i think that what patrick said is what most people think when they first look at configuring selinux. however, those who maintain selinux are nice enough to compile a configuration that is not very restrictive and has enough for you to work off of as example if you want to make your system harder. like some other things - vim comes to mind - i wouldn't start with selinux by jumping in with both feet. nor would i even expect to scratch the surface of it in a year of maintaining a system with selinux configured.


selinux runs at kernel level. so, if you want to disable it, you need to do it at boot time (or edit your boot loader's config). which means, if you go and recompile the selinux config and mess something up, you'll probably be disabling it as a boot option at your grub shell. as a kernel level thing, i don't think selinux has any impact to speed (someone might correct me but i'll wager that it's not much if there is a performance impact).


now, i'm a big advocate of virtual machines. they're just as good for people trying to learn new things as they are to data centers. i would suggest installing debian with selinux and leaving it is. then install another debian on a virtual (i like virtualbox for my prototyping / learning) and immediately taking a snapshot of that install. then, go hack away at selinux. copy your config to another box before you reboot. that way, when you mess something up, instead of going through, disabling selinux and figuring out what you did wrong, you can just revert back to your snapshot, and compare the before and after configs and see what you might try different. the other good thing about that is that when you have something working on your virtual, you should be able to pretty easily apply it to your server.


lastly, there are three mandatory access control systems like this. the most popular two are selinux and apparmor.(don't know who uses grsecurity - just read about it). at any rate, novell and ubuntu use apparmor (novell still puts money into it i think). everyone else uses selinux. i've heard that apparmor is easier *shrug* - it might be, it also looks like it doesn't have the features of selinux so i never bothered with it.


lastly, i think selinux's history is pretty cool. i think in another ten years or so, someone should consider writing a non technical book about the history of it. lastly, i was surprised to see that the nsa has a web page for it (selinuxproject.org being the main project web site): http://www.nsa.gov/research/selinux/

also, floss had an interesting interview with the guy who maintains it now.
 
Old 03-15-2011, 07:38 PM
"Josep M. Gasso"
 
Default Selinux on a Squeeze Desktop

Hello Patrick.

Thanks for Your answers, the only doubts that I have now with selinux
are:

System update with "aptitude safe-upgrade" and "aptitude full-upgrade"
did You give any problems?

About backups, the only tool for backups is "star", seems that are not
inclosed in squeeze, there is more similar tools that supports extended
attributes inclosed in squeeze?

If I want uninstall and delete selinux on squeeze, after delete
packages, is possible delete extended selinux attributes in files?

If I mount an ext3/ext4 usb hard disk, MUST I relabel this too for
extended attributes? Or can run without relabel too?

Thanks
Josep





El dom, 13-03-2011 a las 11:55 -0700, Patrick Bartek escribió:
> --- On Sun, 3/13/11, Josep M. Gasso <websurfer@navegants.com> wrote:
>
> > I would like ask if someone have in his home a
> > Desktop/Server machine
> > what runs selinux, my Debian Squeeze machine is always on
> > and is a
> > mailserver too.
>
> I run Fedora. (And have since FC3.) SELinux is installed by default. It has problems. Not many, but enough to be annoying and require "fixes.". I keep it in "Permissive" mode on my home system, which means it logs security issues, but doesn't prevent them. Uninstalling it is next to impossible, since everything on the system has SELinux as a dependency. It (SELinux) is one of the reasons I'm switching to Debian. At least with Debian, I have the OPTION not to install it. I won't be.
>
> > So, I would like if there is any desktop problems with
> > selinux, and if
> > speed is also affected.
>
> The one problem that I've experienced with SELinux over several versions of Fedora is SELinux will prevent updating (upgrading in Debian-speak) a newly installed or upgraded (dist-upgrade in Debian) system. However, if you disable or put SELinux in permissive, after the system update, it no longer has issues with additional updates. It's a strange beast.
>
> SELinux is fairly efficient. I doubt that it would affect system performance all that much. Although, I've never run any tests. But to run it effectively, you need to be very knowlegeable in its use and configuration. Installing and forgetting won't cut it. Do the research. Study the manuals. Etc.
>
> > Any advice will be appreciated, I plan install selinux in a
> > few days.
>
> I consider SELinux a waste on a "home" system. SELinux is like suspenders: If you have a good belt, you don't need the suspenders. However, in a commercial/business, workstation/server set up, and you're the security guy, I would run it. Even with the problems: better safe than sorry. Or fired. ;-)
>
> Before doing the "real" install, I suggest you use a "test" system first. Like I said above: SELinux is pervasive and unistalling, if it doesn't suit you, might be a problem, or impossible. A dual boot is best, but a VM would be good enough, but not perfect, for an evaluation.
>
> FYI: I'm not an SELinux "expert." I took one look at the "official" administrative manual, and said "No, thanks." What would you expect from something that was developed by a insanely paranoid government agency? ;-)
>
> B
>
>



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1300221482.13082.7.camel@mail.navegants.net">http://lists.debian.org/1300221482.13082.7.camel@mail.navegants.net
 
Old 03-15-2011, 07:39 PM
"Josep M. Gasso"
 
Default Selinux on a Squeeze Desktop

Hello Shawn

Thanks for Your answers,I installed selinux on a virtual machine, and ok
for first steps...but not with all apps that I have installed in my
host.

The only doubts that I have now with selinux are:

System update with "aptitude safe-upgrade" and "aptitude full-upgrade"
did You give any problems?

About backups, the only tool for backups is "star", seems that are not
inclosed in squeeze, there is more similar tools that supports extended
attributes inclosed in squeeze?

If I want uninstall and delete selinux on squeeze, after delete
packages, is possible delete extended selinux attributes in files?

If I mount an ext3/ext4 usb hard disk, MUST I relabel this too for
extended attributes? Or can run without relabel too?

Thanks
Josep



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1300221591.13082.9.camel@mail.navegants.net">http://lists.debian.org/1300221591.13082.9.camel@mail.navegants.net
 
Old 03-16-2011, 02:29 AM
Patrick Bartek
 
Default Selinux on a Squeeze Desktop

--- On Tue, 3/15/11, Josep M. Gasso <websurfer@navegants.com> wrote:

> Hello Patrick.
>
> Thanks for Your answers, the only doubts that I have now
> with selinux
> are:
>
> System update with "aptitude safe-upgrade" and "aptitude
> full-upgrade"
> did You give any problems?

With SELinux, you never know until you try. Since I run it in "Permissive Mode" on my Fedora 12 home desktop, it doesn't do anything except log exceptions.

> About backups, the only tool for backups is "star", seems
> that are not
> inclosed in squeeze, there is more similar* tools that
> supports extended
> attributes inclosed in squeeze?

Can't help with star. Not familiar with it. I use rsync with Fedora, and will use it with Debian 6 once it's all set up.

> If I want uninstall and delete selinux on squeeze, after
> delete
> packages, is possible delete extended selinux attributes in
> files?

Like I said in my original reply, I've never been able to remove SELinux off a Fedora system without destroying the system itself. Don't know if it is possible to remove it rom a Debian system once it's been installed.

> If I mount an ext3/ext4 usb hard disk, MUST I relabel this
> too for
> extended attributes? Or can run without relabel too?

Can't help you. Never needed to do that. Try it. It either works or it doesn't.

B


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 750054.45984.qm@web31008.mail.mud.yahoo.com">http://lists.debian.org/750054.45984.qm@web31008.mail.mud.yahoo.com
 

Thread Tools




All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org