|
Hi Mark,
I have not yet seen Eamon's presentation, but this work is
on the trunk of the Xorg and SELinux project from what I
recall. I do not believe this support exists in RHEL 5 as it was released a
long time ago when XACE was not yet included in the X server. I
believe the inclusion of the graphical environment in a newer
Fedora release probably still needs the assistance of a
skilled developer with experience in SELinux policy and X window
environment. The implementation of non-graphical applications
straightforward to implement in the MLS environment.
-Chad From: Dyson, Mark L (IS) [mailto:Mark.Dyson@xxxxxxx] Sent: Wednesday, November 25, 2009 7:52 AM To: Chad Hanson Cc: selinux@xxxxxxxxxxxxx Subject: RE: MLS support for RHEL5? Chad, Thanks
for the help thus far, and for your patience. I only have the one machine
available to me, and it came pre-installed both with RHEL5.3 and with a
proprietary software suite that is eventually supposed to run under SELinux
(it’s a port from Trusted Solaris). I don’t have the RHEL install media,
and installing the software itself (so I’m given to understand) is a major
undertaking, so a re-install is very unattractive. I’m also a total
neophyte to SELinux, I hadn’t even heard of it before I was asked to look into
this, and I’m not a Linux guru by any stretch of the
imagination. The
desired end state is to be running Multi-Level Security, and X Windowing support
is also needed, or so I’m given to understand. I read that was problematic
in the books I have, but I understood from the mailing list that Eamon Walsh
just delivered a paper that seemed to indicate it was now supported?
Managing multi-security-level windows in a session is one of the specific issues
I was asked to look into. Does
there exist a laundry list of the packages that need to be installed? I’m
willing to attempt this, if I could get my hands on sufficient guidance, and I’d
hope not to bend the patience of the folks on the list (to which I’m going to CC
this thread so as to spread the burden a little). My current sources of
information are two books about SELinux: The O’Reilly one by Bill McCarty and
the Prentice Hall one by Frank Mayer, Karl MacMillan, and David Caplan.
That’s pretty much it. So
as a more general invitation to chime in: is the mapping from Trusted Solaris to
SELunix for an X-windows application a realistic path? Is SELinux just not
yet ready for such an adventure? As
ever, many thanks, Mark From:
chanson@xxxxxxxxxxxxx [mailto:chanson@xxxxxxxxxxxxx] Hi
Mark, The LSPP
functionality can be enabled after installation, however it is probably not an
easy process depending on your experience level with SELinux. You'll need to
manually install the MLS Selinux security policy rpm. You'll want to
make sure the policycoreutils-newrole rpm is installed. These are few things I
can think of to start with. Really this is just trying to manually add software
and change config to the configuration guide. Also note the CC LSPP
configuration doesn't support X windows for example so this would need to be
disabled as I don't believe it will start in enforcing
mode. It may
be worthwhile to install the LSPP version in a virtual machine before
trying to convert an existing system. This would be a good idea for
the procedure above as well to verify what will happen with the various steps.
The would let you see what the system should like after the
conversion. Cheers, -Chad From: Dyson, Mark L (IS)
[mailto:Mark.Dyson@xxxxxxx] Chad, More
newbie questions. I don’t currently have the option of installing RHEL5,
the system came to me pre-installed with the subject application installed as
well. Is this LSPP something that can be added after the fact? The
main issue I was having was the MLS and Strict options weren’t available in the
SELinux config utility. Does that mean I’m hosed unless I can re-install
RHEL5 using the lspp kickstart method? Thanks
in advance, Mark From:
chanson@xxxxxxxxxxxxx [mailto:chanson@xxxxxxxxxxxxx] One of the key
components in the lspp rpm is the Configuration Guide. This describes the manner
in which you should install RHEL 5 and mostly isn't hardware specific. The SGI
document is for RHEL 5.1. I would probably start with that. The Dell version
should be for 5.3, but I cannot say for sure. |
