FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-07-2008, 06:35 PM
John Dennis
 
Default Another selinux rant

Michael Wiktowy wrote:

On Jan 4, 2008 6:54 PM, Jonathan Underwood <jonathan.underwood@gmail.com> wrote:

That could be the case. Perhaps there's something that could be added
to Smolt to allow the history of avc denials to be uploaded as part of
the profile - that would allow some really interesting analysis.


That is a great idea!

Even just something that indicates the proportion of people using
enforcing/permissive/disabled. That would be useful to either support
or refute the periodic SELinux rant threads based on people's personal
usage patterns and seem to take on a life of their own and inevitably
lead to statistics being pulled out of thin air.


For what it's worth setroubleshoot was designed to allow sending it's
analysis to a central server to coalesce all the reports to get a global
view (and to allow notifications to be sent back to the reporter when
their issue was fixed if it was a bug). This was never fully implemented
for the following reasons:


* audit data is security sensitive, transmitting it to a central server
raises a host of issues.


* we needed a host to run the server on, at the time none existed
(fedoraproject might be a viable option today).


* no one thought it was important.

The code in setroubleshoot still has all the logic built into it to
support central aggregation, as it has from day one. But we would have
to build the central server and solve the security issues. But this
would occur if and only if there was a consensus this was important and
volunteers stepped forward to perform the work.


--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-07-2008, 06:47 PM
John Dennis
 
Default Another selinux rant

Ralf Corsepius wrote:

* Is it appropriate to inform arbitrary ordinary users about SELinux
issues? May-be this on single user/non-networked machines, but I don't
think this is the right concept for a networked environment in which
"ordinary user" normally isn't the system admin.


This is why setroubleshoot was designed to operate in a distributed
network mode. At the time of setroubleshoot's initial release it was
felt this was a corner case, that the most likely user of the tool would
be developers and technically astute users both running locally. The
distributed aspects of the tool were never promoted, although they
continue to reside in the code.


In fairness the networked facilities need some enhancements to make them
fully viable. For instance the network traffic is not encrypted, a
critical feature when transmitting security sensitive data and it needs
to be fronted by a more robust authentication mechanism.


--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-07-2008, 07:07 PM
 
Default Another selinux rant

greetings,


On Mon, Jan 07, 2008 at 02:47:48PM -0500, John Dennis wrote:
[..snipped..]
> In fairness the networked facilities need some enhancements to make them
> fully viable. For instance the network traffic is not encrypted, a
> critical feature when transmitting security sensitive data and it needs
> to be fronted by a more robust authentication mechanism.
>

my use case would be in a private network environment (call center, noc,
etc) so the messages would not necessarily need to be encrypted.. my concern
would be that they get to the central server reliably.

> --
> John Dennis <jdennis@redhat.com>
>

regards,
--jeff
--
http://zoidtechnologies.com/ -- websites that suck less

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-07-2008, 08:32 PM
Steve Grubb
 
Default Another selinux rant

On Monday 07 January 2008 15:07:24 jam@zoidtechnologies.com wrote:
> > In fairness the networked facilities need some enhancements to make them
> > fully viable. For instance the network traffic is not encrypted, a
> > critical feature when transmitting security sensitive data and it needs
> > to be fronted by a more robust authentication mechanism.
>
> my use case would be in a private network environment (call center, noc,
> etc) so the messages would not necessarily need to be encrypted.. my
> concern would be that they get to the central server reliably.

There are plans to create a remote logging plugin for the audit system. This
will handle more traffic than just the avc's. There are a number of issues
that have to be resolved in order for this to work correctly. I hope that it
will be done in time for F9.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-07-2008, 11:24 PM
Jason L Tibbitts III
 
Default Another selinux rant

>>>>> "JD" == John Dennis <jdennis@redhat.com> writes:

JD> This is why setroubleshoot was designed to operate in a
JD> distributed network mode. At the time of setroubleshoot's initial
JD> release it was felt this was a corner case, that the most likely
JD> user of the tool would be developers and technically astute users
JD> both running locally. The distributed aspects of the tool were
JD> never promoted, although they continue to reside in the code.

Well, I for one would be happy to run a local server so that I can
keep an eye on selinux issues on the desktops here. I've been
cautiously rolling selinux out on user desktops and try to run it on
servers whenever I can (which is becoming much more often as I
understand more about how it works) but the only way I know there are
issues is if something explicitly breaks or by reading logwatch
reports.

Of course, my users should never see any kind of setroubleshoot
applet; they have no idea what it would mean and they don't have
privileges to make changes anyway.

- J<

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-08-2008, 11:12 AM
Daniel J Walsh
 
Default Another selinux rant

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ed Swierk wrote:
> On 1/4/08, Matej Cepl <mcepl@redhat.com> wrote:
>> When introducing SELinux on computer where it wasn't before, it
>> is mandatory to
>>
>> touch /.autorelabel
>> reboot
>
> ...and when copying files from another machine not running SELinux,
> and when copying files from a machine running SELinux without using
> funny tar/cp options.
>
> --Ed
>
restorecon on the files is a better solution.

restorecon -R -v /etc

for example.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeDaLUACgkQrlYvE4MpobPXSACdGFqSw4Jygc XU3utwR/At9SUB
wLgAoM7GV+8bfvrcZbbnjTxf8St+gBlC
=EnwM
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 07:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org