i am interested in Secure Linux.
do you have guid that shows how to build/patch your source code
into an exiting Linux kernel.
what is expected completion date for the user and administrative
guides?
is this more secure than OpenBSD?
can i use this in an existing Debian distribution?
i see no activity in list archives since april,
is this effort still active?
i am just beginning to really learn how to program but let me
know if i can help in any way, i have some experience with code
documentation and v&v testing.
regards,
Zach
uram@cmu.edu
"Blessed are those who have not seen and yet have faith." - John 20:29
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Thu, 7 Jun 2001, Zachary Uram wrote:
> do you have guid that shows how to build/patch your source code
> into an exiting Linux kernel.
You can apply the kernel patch available on the download page to an ordinary 2.4.3 kernel from www.kernel.org. But you are better off simply downloading the complete package and following the INSTALL instructions. Do you have a specific reason why you want to patch some other version/variant of the Linux kernel?
> what is expected completion date for the user and administrative
> guides?
As far as I know, no one is working on such guides currently.
> is this more secure than OpenBSD?
They aren't really comparable. SELinux is NOT a secure Linux distribution. It is a reference implementation of a flexible access control architecture in the Linux kernel, and an example security policy configuration that shows how to use those controls. The access controls can confine the actions of any process, including superuser processes, so the potential damage that can be done by exploiting a flaw in an application can be strictly limited and so that users can be protected against malicious software. Some modified applications are provided to help demonstrate some of the kernel features, but they are not integral to the system. SELinux is more analagous to the TrustedBSD project than to the OpenBSD project. The OpenBSD project is focused on a BSD distribution that is free from known security problems and that incorporates cryptographic mechanisms. Hopefully, some of the TrustedBSD project work will filter over to the OpenBSD project as well, so that similar access controls will become available in OpenBSD.
> can i use this in an existing Debian distribution?
We've only used it with RedHat distributions (originally 6.1 and 6.2, and lately with 7.1). I would expect that you could use it with a Debian distribution, but you would have to adapt the build/install process, account for differences in the modified applications, and adjust the policy configuration for a Debian environment.
> i see no activity in list archives since april,
The archives at the NSA web site are only updated when a new release is made. You can fetch more up-to-date archives via email to majordomo or you can access an unofficial archive at http://marc.theaimsgroup.com/?l=selinux.
> is this effort still active?
The effort is active, but it is in a new phase. The original SELinux prototype was presented to the Linux kernel developers at the Linux Kernel Summit. Based on their feedback, we are now working with the recently started Linux Security Modules (LSM) effort to transfer the SELinux functionality into a security module that works with LSM and to ensure that the LSM framework will support SELinux. We haven't been doing any new development on the old prototype lately.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Jonathan Day <jd9812_at_my-deja.com>
First, as I understand it, the web archives of the mailing list are updated if and only if (iff, to maths-types) there are other changes made. Thus, when the next selinux patch comes out, the archives will rush forward to that time.
Second, selinux and OpenBSD aim for security in two orthogonal ways. (ie: They don't interact at all.) SELinux aims for security through setting up quantifiable boundaries on resources. Nothing goes in or out, without explicit permission. Thus, if a program is compromised, the impact of that is going to be much smaller than it would be, otherwise.
OpenBSD is an exercise in phenominal auditing. I think they've found one, maybe two, potential security problems in the pasy year. It is also a hotbed of encryption. Their IPSec implementation is extremely good, for example, and OpenSSH is one of the best SSH clones going.
As for which is better, it depends on which track suits your needs the best. Personally, I suspect that when the Stanford Checker is released onto the world, the wholesale auditing of Linux, the various extensions, and every package ever written for it, will become an industry of its own.
The other thing you need to consider is that SELinux, as it stands, isn't designed to work with MOSIX, yet MOSIX seems (from the publicity) to be destined for the kernel. This means that SELinux is going to need some degree of extending and bashing to get it to work with a distributed environment.
I've never tried SELinux with Debian, but it should run just fine. It's not distribution-specific.
Hope this helps
>Date: Thu, 7 Jun 2001 17:47:35 -0400 (EDT)
>From: Zachary Uram <zu22@andrew.cmu.edu>
>To: selinux@tycho.nsa.gov
>SUBJECT
>i am interested in Secure Linux.
>do you have guid that shows how to build/patch your source code
>into an exiting Linux kernel.
>what is expected completion date for the user and administrative
>guides?
>is this more secure than OpenBSD?
>can i use this in an existing Debian distribution?
>i see no activity in list archives since april,
>is this effort still active?
>i am just beginning to really learn how to program but let me
>know if i can help in any way, i have some experience with code
>documentation and v&v testing.
>
>regards,
>Zach
>
>
>uram@cmu.edu
>"Blessed are those who have not seen and yet have faith." - John 20:29
>
>
>
>
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Zachary Uram <zu22_at_andrew.cmu.edu>
On Fri, 8 Jun 2001, Jonathan Day wrote:
>
> Second, selinux and OpenBSD aim for security in two orthogonal ways. (ie: They don't interact at all.) SELinux aims for security through setting up quantifiable boundaries on resources. Nothing goes in or out, without explicit permission. Thus, if a program is compromised, the impact of that is going to be much smaller than it would be, otherwise.
Hi Jonathan,
Oh I see.
> OpenBSD is an exercise in phenominal auditing. I think they've found one, maybe two, potential security problems in the pasy year. It is also a hotbed of encryption. Their IPSec implementation is extremely good, for example, and OpenSSH is one of the best SSH clones going.
Auditing is software verification & validation testing? How do they find the bugs in the code?
> As for which is better, it depends on which track suits your needs the best. Personally, I suspect that when the Stanford Checker is released onto the world, the wholesale auditing of Linux, the various extensions, and every package ever written for it, will become an industry of its own.
What is Stanford Checker? Can I download it for free? What is website? Is it like the weblint of Linux security?
> The other thing you need to consider is that SELinux, as it stands, isn't designed to work with MOSIX, yet MOSIX seems (from the publicity) to be destined for the kernel. This means that SELinux is going to need some degree of extending and bashing to get it to work with a distributed environment.
MOSIX is to Linux as POSIX is to UNIX? Does MOSIX have website?
> I've never tried SELinux with Debian, but it should run just fine. It's not distribution-specific.
Cool.
Thanks.
I want to start installing different secure OSes on my machines and then try break in and examine my logs to learn.
SDG,
Zach
uram@cmu.edu
"Blessed are those who have not seen and yet have faith." - John 20:29
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:53 EDT