Re: Possible bug in finding default context?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 10, 2012 at 07:13:03PM +1000, Russell Coker wrote:
> On Fri, 10 Aug 2012, Ole Kliemann <ole@xxxxxxxxxxxxxxx> wrote:
> > I'm doing this on Ubuntu 12.04, so it could be the crappily 
> > maintained selinux userland here.
> 
> What are the problems in Ubuntu SE Linux?
> 
> I've idly considered joining the Ubuntu project to help maintain SE Linux 
> there.  Doing it for two Debian-based distros can't be much more work than 
> doing it for one.

Admittedly that statement contains a lot of prejudice. When I 
started with SELinux I expectedly had problems finding my way 
around. Documentation is often hard to find. The only good 
reference I found so far is Richard Haines' SELinux Notebook.

But that's, like most SELinux documentation, quite abstract. If 
you want more concrete information you always end up on the 
websites of either Red Hat or Fedora. If you google for Ubuntu 
and SELinux you won't find much.

Running a strict SELinux policy is a rather delicate affair. My 
overall feeling regarding Ubuntu policy was: I shouldn't be 
surprised if something suddenly stops working. But TBH I never 
really tested it. When I tryed installing the ubuntu policy on my 
test system right now, it failed due to some error, but normally 
installing works. (I probably messed something up.)

There are a few problems I ran into that I remember off the top 
of my head:

Reference policy sources can be installed and compiled but not 
inserted due to missing dependencies.

There's an null pointer dereference in libsemanage, something 
with genhomedircon, when trying to build a non-mcs policy. That's 
a know issue but unpatched in Ubuntu.

The reference policy ubuntu's policy is based on is something 
from 2009. It doesn't have the

    bool mmap_low_allowed false;

As far as my limited understanding goes that isn't a problem 
unless you do something stupid anyways. (Like installing wine...  
vm.mmap_min_addr is set to 65536 by default on Ubuntu.)


So bottom line: Things aren't neccessarily bad. But they do look 
old. And I just lack the trust that the policy is maintained in a 
way that I can do updates without worries. Hence my prejudice.

Ole

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux