Bugzilla – Bug 8670
Which way to go with SELINUX
Last modified: 2009-03-16 21:56:06 UTC
Can you please take a look at this page? http://wiki.sourcemage.org/index.php?page=SMGL+SELINUX I'd like some advice on the way to go with the selinux implementation.
I like the idea of a security/hardened grimoire (hum it would be better, but I have no idea of a magical term for that). Not only for selinux, but for all security enhancements (patches but also different default configurations, we could for example have a pam spell, with a "other" file that log and reject all authentication). IMHO reasons to have a different grimoire are : - we want the latest versions in test as quickly as possible, this won't be possible without breaking some security patches. That was said on the wiki, selinux is a good example, but gcc is another : gcc-4.0 will be soon in test, but SSP support is only available currently for gcc-3.4. - this is more "readable" (and safe) : lots of people don't use PaX or selinux, it can only be a pb to ask them if they want a glibc with PaX support. - we can hope that it'll be easier to see if the bug is introduced in the security stuff or not... - if an improvement is thought stable enough, and important in term of security, we can always integrate it to devel and test grimoires. - the pb of having another grimoire for the user can easily be solved with a little explanation on the wiki for example.
Hum no mail sent on sm-security... CCed security team and grimoire guru.
(In reply to comment #1) > > - this is more "readable" (and safe) : lots of people don't use PaX or selinux, > it can only be a pb to ask them if they want a glibc with PaX support. > true, we do seem to have lots of 'i want it all'-type of users lately ;) > - the pb of having another grimoire for the user can easily be solved with a > little explanation on the wiki for example. > true, so it's going to be a separate grimoire?
A seperate grimoire is imho the way to go, at least until everything works as expected. Right now we have some problems caused by the incomplete selinux support popping up every now and then on IRC. Multi-grimoire support was done especially for things like this. Once everything works fine we can think about integrating it in the main grimoire (preferabbly with a global choice to activate it instead of per-spell questions).
OK if we agree on this we'll copy all SELinux spells to a new grimoire, and then delete the SELinux options in "regular" grimoires. I guess we'll need a new gpg key for this grimoire. And if someone could come up with a good name for it ;)
Probably just call the grimoire "secure" so as not to confuse people. ;) The rest are also non-magical names (test, stable, games, z-rejected). I would say "security", but we have a section with that name. We'd also want to explicitly inform the user that they'll want the "secure" grimoire listed first on `scribe index` or `gaze grimoires` so that it "overrides" the non-secure spells in other grimoires.
Other distro (for example LFS, debian, gentoo) are calling their version focus on securit hardened. May be we could do the same and called the grimoire hardened ?
I agree with "hardened" I'd also like to know the pros and cons of a separate grimoire and if there's some changes that could be made to make it not a separate grimoire in the future (maybe with some more intelligence-giving api hooks or changes in sorcery).
What is possible is for example to add an option in sorcery, and test if enabled before asking questions about hardened options. However one problem (if integrated for exemple in test) will be different versions : SELinux and other security features usually take some time to be available for latest version. This will force us either to delay the new version in the grimoire, which is not the goal of the test grimoire, or to introduce two versions for the same spell...
Can someone with the permissions create the grimoire ? It seems I don't have the permission to do that.
I've setup a hardened grimoire with only a ChangeLog with write permissions only from the hardened group `p4 group hardened`). Users: arjan_bouter arwed_von_merkatz eric_sandall seth_woolley thomas_houssin tony_smith Let me know if you need anything else. :)
Thanks, I added gcc with SSP support to hardened (we need to begin with something ;) ) I have several general questions about the tarball : - we need a gpg key : any prefered length ? Do we want to use a passphrase for this one ? - I had a quick look through the script getcodex.sh ; I think there's only slightly modifications to add hardened grimoire. Anything else to do to generate it ?
* GPG key: I believe we're using 1024-bit, but Seth knows more about that. I believe we use a passphrase for all of them, but again Seth would know more. * getcodex.sh: Just need to add hardened information AFAIK
I think I did everything needed : scribe add hardened now works, and the gpg key is in the sorcery-pubkeys in the hardened grimoire. If it works for you, we can close this bug... I'll send the passphrase to the people who have write access to the hardened grimoire.
The gpg key should be in the main grimoire sorcery-pubkeys spell like the ones for the other grimoires (z-rejected, games) are too.
I did not commit a lot lately in this grimoire (beeing busy IRL), but I think it'll be usable soon (something like two weeks in the worst case), with a wiki HOWTO.
I think the hardened grimoire is usable now (although I'll probably upgrade to gcc 3.4.4 in the next days). I'd like some testing before releasing it: I'm testing it for a while now (with SSP, grsecurity and PaX), all apps I use work with the hardened toolchain, but I probably missed some problems. Please report any pb you may have. I also wrote a wiki page about this grimoire, and how to use it: http://wiki.sourcemage.org/index.php?page=Hardened+Grimoire Feel free to correct any mistake in it.
I think the hardened grimoire is usable now : on a test machine : fresh install -> added hardened grimoire -> sorcery rebuild and then casting several spells (basically gnome2) As this was done without problem, I think I can send a mail on sm-discuss, to avertise about hardened a little and have more beta-testers. Do you agree ?
The more testers the merrier; I'm for it. :)
Yeah, go ahead and ask for testers. How do you want to continue with the hardened grimoire? Keep it seperate or integrate the changes back to the main grimoire over time?
What I'd like is to integrate it in test when it's considerate as stable enough, and then begin again with a new hardened. Sorry about the delays, I'm moving from a flat to another and won't have the net for another week at least. (if someone can handle the urgent security updates...)
i gave up on selinux, it seems nobody wants to pick up the last couple of patches and i haven't got enough coding experience to do it myself. if anyone wants the missing init-script to create/mount the selinux dir at boot and set some env-vars, give me a shout.
Can you attach that to this bug? That way we won't have people shooting themselves in the feet, but it's still accessible for developers who want to get it completely finished.
Created attachment 6459 [details] selinux init script this script should go into %S to start selinux at boot
Can this bug be closed?
As the hardened grimoire is dead, we can close this bug I guess...