I finished the install this morning, selinux is up and runing. It all seems to be running ok.
The README (Building & Installing) instructions worked great. The only problem I ran into was that I missed step 15 (adding /usr/local/selinux/bin to the path).
I read earlier that selinux had no support for x windows, is this still true with this latest drop? Is anyone working on a secured desktop?
I have installed Bastille (www.bastille-linux.org) and am using the firewall that comes with it. Will this conflict with anything in selinux?
Conan
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Westerman, Mark <Mark.Westerman_at_csoconline.com>
The current version of selinux does support X-Windows, but does not support
a graphice login.
I have ported gdm (gnone display manager) to selinux. When I Finish the
policies files for
the gdm I will mail the port and policy file to you if you would like.
Mark Westerman
-----Original Message-----
From: Conan Callen [mailto:ccallen@windowpane.com]
Sent: Wednesday, August 29, 2001 4:49 PM
To: selinux@tycho.nsa.gov
Subject: Successful install
I finished the install this morning, selinux is up and runing. It all seems to be running ok.
The README (Building & Installing) instructions worked great. The only problem I ran into was that I missed step 15 (adding /usr/local/selinux/bin to the path).
I read earlier that selinux had no support for x windows, is this still true with this latest drop? Is anyone working on a secured desktop?
I have installed Bastille ( www.bastille-linux.org <http://www.bastille-linux.org> ) and am using the firewall that comes with it. Will this conflict with anything in selinux?
Conan
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Wed, 29 Aug 2001, Conan Callen wrote:
> I finished the install this morning, selinux is up and runing.
> It all seems to be running ok.
Good. Be sure to verify that none of your daemons were left in the initrc_t domain by checking the ps -e --context output. If so, then you'll need to define domains for those daemons or disable them if you don't want to use them. Also check your /var/log/messages file for 'avc: denied' messages to see if you need to add any permissions to the example policy for your particular system. When you think the policy is ready, you can toggle the system into enforcing mode with avc_toggle (or rebuild the kernel with CONFIG_FLASK_DEVELOP undefined).
> I read earlier that selinux had no support for x windows, is this still
> true with this latest drop? Is anyone working on a secured desktop?
In the example policy released with the new prototype, I commented out some of the permissions needed by the X server because they are very dangerous. See the lines preceded by 'Commented out by default' in policy/domains/program/xserver.te. You can uncomment those permissions if you want, but the consequence is that a bug in the X server can be catastrophic to the security of your system. Also, this only allows you to run X via startx after a normal login - it doesn't deal with running an X display manager. Mark Westerman has made some modifications to gdm for this purpose and put them on the sourceforge site.
The X server really needs to be partitioned up more, so that only a small section of code needs to be granted these highly sensitive permissions.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT