https://researchut.com/tags/mandatory-access-controls/Recent content in Mandatory Access Controls on RESEARCHUTHugo -- gohugo.ioenrrs@researchut.com (Ritesh Raj Sarraf)rrs@researchut.com (Ritesh Raj Sarraf)Thu, 08 Jul 2010 18:08:00 -0400https://researchut.com/post/9/Thu, 08 Jul 2010 18:08:00 -0400rrs@researchut.com (Ritesh Raj Sarraf)https://researchut.com/post/9/<p>The latest kernel upload (2.6.32-16) brings goodies to SystemTap in Debian. This version has added support for kprobes, on which systemtap has a major dependency, for many of its features.</p> <p>Most of the systemtap instrumentation should work now and all of this will be part of the Squeeze release. Instrumenting the kernel modules still needs some work (DBTS: #555549) but can be done.</p>https://researchut.com/post/13/Tue, 11 May 2010 03:50:00 -0400rrs@researchut.com (Ritesh Raj Sarraf)https://researchut.com/post/13/<p>Just uploaded tomoyo-tools and is waiting in the NEW queue.</p> <p>Thanks to Moritz Muehlenhoff, tomoyo kernel support should be available in Debian with kernel 2.6.32-13 and above.</p> <p>What is Tomoyo ?</p> <p>Description: Lightweight and easy-use Mandatory Access Control for Linux</p> <p>TOMOYO Linux is Lightweight and Usable Mandatory Access Control with</p> <p>- &ldquo;automatic policy configuring&rdquo; feature by &ldquo;LEARNING mode&rdquo;</p> <p>- administrators friendly policy language</p> <p>- no need libselinux nor userland program modifications</p> <p>.</p> <p>TOMOYO Linux consists of patches to Linux kernel and administrative</p> <p>utilities, and this package contains its audit daemon and tools.</p> <p>Description: Lightweight and easy-use Mandatory Access Control for Linux</p> <p>TOMOYO Linux is Lightweight and Usable Mandatory Access Control with</p> <p>- &ldquo;automatic policy configuring&rdquo; feature by &ldquo;LEARNING mode&rdquo;</p> <p>- administrators friendly policy language</p> <p>- no need libselinux nor userland program modifications .</p> <p>TOMOYO Linux consists of patches to Linux kernel and administrative utilities, and this package contains its audit daemon and tools.</p>https://researchut.com/post/34/Thu, 11 Dec 2008 16:46:00 -0500rrs@researchut.com (Ritesh Raj Sarraf)https://researchut.com/post/34/<p>Thanks to <strong>Pierre Chifflier</strong> , Debian now has setroubleshoot packaged. The good thing about setroubleshoot is that it gives you a very user friendly message about the SELinux violations that occur on your box while you were doing something.</p> <p>Now that something is very difficult to define (at least for Debian). My day job requires me to work on the RHELdistribution which has very good SELinux policy defined (Same is the case with Fedora). Here&rsquo;s a list of things which Debian&rsquo;s SELinux policy lacks and that RHEL/Fedora&rsquo;s doesn&rsquo;t</p> <ul> <li><code>acpi -V</code> raises a violataion</li> <li><code>dmesg</code> raises a violation</li> <li><code>apt-get update</code> raises a violation</li> <li>You can&rsquo;t suspend, that raises a violation</li> <li>nvidia module load raises a violation (Oh!! Well. That&rsquo;s binary-only.</li> </ul> <p>But the same doesn&rsquo;t raise a violation in Fedora)</p> <p>So even though I&rsquo;d love to use SELinux on Debian, I can&rsquo;t. Basic tasks are seen as violation by the Debian SELinux Policy. Try out enabling SELinux in Permissive mode and install setroubleshoot. You&rsquo;ll see setroubleshoot pop-up a SELinux violation every 5 seconds. Turns out that Debian&rsquo;s SELinux policy is becoming just too too much secure and thus interfering with the user using the OS.</p>