SELinux

**z01111010** · 17-Jul-2009, 13:36

AHA! Yes, 'sestatus' gave me the same thing.

**stakanov** · 17-Jul-2009, 13:41

Sorry but I simply LOVED the Aha thing......

**z01111010** · 17-Jul-2009, 13:44

rofl...thanks

**stakanov** · 17-Jul-2009, 14:00

Looked at the whole log messages but see no hint to the start or fail of SE linux. Anybody knows if SElinux is compatible with the PAE kernel?
If yes, where can I see (log files) when SElinux should be loaded?

/bin/mount /root/proc
What am I telling in boot-sh exactly?
I am "moving a device node". But what does this actually mean in this context?
Thanks for sharing your knowledge.

and actually at the end I do
cd /root
umount /proc

So why do I first mount and then umount /root/proc???

**z01111010** · 17-Jul-2009, 14:18

idk if this helps at all, but through the power of Google I found an interesting tidbit from the changelog of the 2.6.29.5 kernel (http://www.kernel.org/pub/linux/kern...geLog-2.6.29.5):

" SELinux: BUG in SELinux compat_net code

This patch is not applicable to Linus's tree as the code in question has
been removed for 2.6.30. I'm sending in case any of the stable
maintainers would like to push to their branches (which I think anything
pre 2.6.30 would like to do).

Ubuntu users were experiencing a kernel panic when they enabled SELinux
due to an old bug in our handling of the compatibility mode network
controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
Most distros have not used the compat_net code since the new code was
introduced and so noone has hit this problem before. Ubuntu is the only
distro I know that enabled that legacy cruft by default. But, I was ask
to look at it and found that the above patch changed a call to
avc_has_perm from if(send_perm) to if(!send_perm) in
selinux_ip_postroute_iptables_compat(). The result is that users who
turn on SELinux and have compat_net set can (and oftern will) BUG() in
avc_has_perm_noaudit since they are requesting 0 permissions."

I'm using kernel 2.6.27, so this patch wouldn't affect (or would it?) openSUSE 11.1 (what I'm using).

**stakanov** · 18-Jul-2009, 01:19

Noop. As it says: "Ubuntu is the only
distro I know that enabled that legacy cruft by default."

I do not think this is the issue. Maybe the config step (when we just paste what should be the content) is the problem. Maybe config "should" be already ok and no copy and paste should be necessary?

In all cases, seen the low participation I would think that people openSUSE user have no big interest in security, or if they have, like us, only little preparation. I tried now for 6 month to make the howto for encrypted root work for my notebook (with /boot on usb-key). Not possible, not even a bit. And the participation to the thread was nil. 30000 very (in)active members.....I would say.

**ken_yap** · 18-Jul-2009, 03:23

SELinux is quite a difficult subsystem to configure, even on distros where it's native, like Fedora and RHEL. It's useful for increasing security for servers, but it does little for desktop users. Desktop users would spend their time better making sure their packages are up-to-date, particularly for Mozilla products, and acroread. And of course, not much can be done in software about PEBKAC.

**stakanov** · 18-Jul-2009, 04:25

Originally Posted by ken_yap

SELinux is quite a difficult subsystem to configure, It's useful for increasing security for servers, but it does little for desktop users. Desktop users would spend their time better making sure their packages are up-to-date, particularly for Mozilla products, and acroread. .

You are correct, it IS difficult to configure. Guess what, that is why I am here. Surprised? I would rather write IMHO when you make such statements. And then, I am a desktopuser. So if we want our desktopuser to acquire the skills to get their sever one day (in safety) maybe we do better not think in this "classy" way, right? It's all about knowledge and the will of sharing IMHO. Am I wrong?

Originally Posted by ken_yap

And of course, not much can be done in software about PEBKAC.

I guess you do speak here about yourself?

**ken_yap** · 18-Jul-2009, 04:45

I'm only pointing out that most of the users here are desktop users which is why there is little interest in SELinux or Apparmor for that matter. People here are more likely to ask questions about getting wireless or sound or media playing working.

If you want to learn to configure a server with SELinux, there are forums for that. Since SELinux is a feature of the kernel, it doesn't matter what distro you are using. So look further afield for the information you need, there is even a SELinux mailing list I'm sure. And of course nothing is stopping you from experimenting with your own machine.

Sorry, but if you are frustrated that you don't know how to find the information you need, no need to be rude, don't take it out on me.