|
Home > Archive > Debian Developers > May 2005 > Debian kernels
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Russell Coker 2005-05-29, 2:48 am |
| The current Debian kernels have SE Linux compiled in, but not in a form that
is usable.
The option CONFIG_AUDIT needs to be enabled to allow SE Linux access denials
to be logged, without this it is impossible to use SE Linux. While making
such changes enabling the option CONFIG_AUDITSYSCALL would be useful, this
enables auditing of the system calls performed by applications. Using this
requires the auditd package to be installed (*).
http://www.nsa.gov/selinux/code/download5.cfm
There is also a patch to 2.6.11 that changes the checks for executable memory
which is needed to make a Debian SE Linux system usable. It's available at
the above URL and should be in 2.6.12. It would be good if this patch could
be included into a Debian 2.6.11 kernel package to enable testing and
development of SE Linux on Debian.
(*) I don't have time to take on another package at the moment. But I would
be happy to help someone who wants to package auditd.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Laszlo Boszormenyi 2005-05-29, 5:54 pm |
| On Sun, 2005-05-29 at 16:09 +1000, Russell Coker wrote:
> The option CONFIG_AUDIT needs to be enabled to allow SE Linux access denials
> to be logged, without this it is impossible to use SE Linux. While making
> such changes enabling the option CONFIG_AUDITSYSCALL would be useful, this
> enables auditing of the system calls performed by applications. Using this
> requires the auditd package to be installed (*).
[...]
> (*) I don't have time to take on another package at the moment. But I would
> be happy to help someone who wants to package auditd.
I have a little time and would like to package auditd. There are two
problems I am asking for:
1) What's the timeframe? Should it be available for Sarge, so it needs
quick packaging?
2) I don't have experience with SELinux, but as my secondenary workplace
just switching to it from GRSecurity (and I am the maintainer of it
in Debian), I think it would be a fit for me even if I need some more
time to deal with it.
Regards,
Laszlo/GCS
--
BorsodChem Joint-Stock Company www.debian.org Linux Support Center
Software engineer Debian Developer Developer
+36-48-511211/25-90 +36-20-4441745
| |
| Russell Coker 2005-05-29, 5:54 pm |
| On Monday 30 May 2005 06:01, Laszlo Boszormenyi <gcs@lsc.hu> wrote:
>
> I have a little time and would like to package auditd. There are two
> problems I am asking for:
> 1) What's the timeframe? Should it be available for Sarge, so it needs
> quick packaging?
It is ready for Sarge and it would be good to have it. It's in RHEL4 already
and will be in Fedora Core 4.
> 2) I don't have experience with SELinux, but as my secondenary workplace
> just switching to it from GRSecurity (and I am the maintainer of it
> in Debian), I think it would be a fit for me even if I need some more
> time to deal with it.
Auditd is necessary for full SE Linux functionality. Recent changes have SE
Linux audit messages giving less information unless they go through the audit
layer and with the volume of some of the audit messages it's best for
performance and reliability to have them go through auditd.
Your message wasn't clear but seems to imply that you want to get involved in
SE Linux development. If so then please contact me off-list, there's plenty
of work to share.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Steve Langasek 2005-05-30, 2:48 am |
| On Mon, May 30, 2005 at 07:21:41AM +1000, Russell Coker wrote:
> On Monday 30 May 2005 06:01, Laszlo Boszormenyi <gcs@lsc.hu> wrote:
[vbcol=seagreen]
[vbcol=seagreen]
> It is ready for Sarge and it would be good to have it. It's in RHEL4 already
> and will be in Fedora Core 4.
Uh, I don't care how quickly you package it, we're not promoting a totally
new package from unstable to stable in the space of a week. Sorry.
--
Steve Langasek
postmodern programmer
| |
| Laszlo Boszormenyi 2005-05-30, 5:53 pm |
| On Sun, 2005-05-29 at 20:36 -0700, Steve Langasek wrote:
[...][vbcol=seagreen]
> Uh, I don't care how quickly you package it, we're not promoting a totally
> new package from unstable to stable in the space of a week. Sorry.
Err, my wording was wrong. I meant prepare it to run in a Sarge
environment or not. But I do not want it to be official either, but as
an add-on from an unofficial apt-repository.
Btw, it will need ftp-masters approval even, as it will be a new
package, then more tests, bugreports to fix, etc; no way for official
support in Sarge, I know it.
Sorry for the confusion,
Laszlo/GCS
|
|
|
|
|