On Tue, 25 Sep 2007 03:11:39 -0500, Mike McCarty <[EMAIL PROTECTED]> said:
> Manoj Srivastava wrote:
>> On Mon, 24 Sep 2007 18:54:34 -0500, Mike McCarty
>> <[EMAIL PROTECTED]> said:
>>
>>> Manoj Srivastava wrote:
>>>> On Mon, 24 Sep 2007 18:21:16 -0500, Mike McCarty
>>>> <[EMAIL PROTECTED]> said:
>>>>
>>>>> Manoj Srivastava wrote:
>>>>>> Firstly: Very few packages have been actively patched to link
>>>>> Something like 50 or so. ls, mv, cp, etc.
>>>> Source packages. All those are from coreutils, no?
>>
>>> I believe so. My response was in regards to "very few". I suppose
>>> that is a subjective response. "50 or so" is not subjective.
>>
>> My response suggests that 50 or so is inaccurate, if you count source
>> packages. It is fewer than that. Compared to 10k source packages,
>> however, even the bloated figure of 50 is "few". BTW, I count 29
>> packages.
> I was using the published figure for Red Hat. They included such apps
> as ls, ps, mv, cp, etc. which are modified either to display or
> propagate attributes of processes or files.
ls is not a package. ls comes from coreutils. Normal
applications need zero modification under SELinux. Some applications
which manage security may need to be made SELinux-aware, although
this can often be done with PAM plugins, which is a standard way to do
this kind of thing in modern Unix & Linux OSs.
--8> ---------------cut here---------------start------------->8---
>> libselinux1 Reverse Depends: coreutils cron dbus dmraid dmsetup fcron
>> gdm gnome-user-share libblkid1 libdevmapper1.02.1 libgnomevfs2-0
>> libnss-db libpam-modules librpm4.4 logrotate loop-aes-utils lvm2
>> mount nautilus openssh-server passwd policycoreutils prelink rpm
>> sysvinit sysvinit-utils udev util-linux xdm
--8> ---------------cut here---------------end--------------->8---
> So, ls can't display the extended attributes of the files? And ps
> can't display the attributes of the processes? And find can't be used
> selectively to find files based on the extended attributes?
Again, you seem to be confusing executables with packages. ls is
not a package. (try dpkg -l ls).
But yes, unless coreutils is patched, ls -Z would probably
return an error.
--8<---------------cut here---------------start------------->8---
__> ls -Z .login
-rw-r--r-- srivasta srivasta user_u:object_r:user_home_t:s0 .login
--8<---------------cut here---------------end--------------->8---
> It would take more than just kernel, of course. I am investigating
> LFS. Gentoo seems to have accepted SELinux as well, though since it is
> a source distro most of the work would be easier in that case,
> perhaps.
Not really. You'll have to unpatch a whole bunch of gentoo
source packages. And gentoo is further along than us with respect to
security policy integration -- the keeper of the SELinux security
policy is a gentoo core developer.
manoj
--
"The real problem with SDI is that it doesn't kill anybody." Tom Neff
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
