Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NSA SELinux Support???
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
sk8harddiefast
Guru
Guru


Joined: 15 Feb 2009
Posts: 335
Location: athens

PostPosted: Fri Feb 14, 2014 3:17 pm    Post subject: NSA SELinux Support??? Reply with quote

Trying to configure my kernel I see on Security section this:
Code:
NSA SELinux Support (SECURITY_SELINUX)

CONFIG_SECURITY_SELINUX:

This selects NSA Security-Enhanced Linux (SELinux).
You will also need a policy configuration and a labeled filesystem.
If you are unsure how to answer this question, answer N.

Symbol: SECURITY_SELINUX [=n]
Type : boolean
Prompt: NSA SELinux Support
Location:
-> Security options
Defined at security/selinux/Kconfig:1
Depends on: SECURITY_NETWORK [=y] && AUDIT [=y] && NET [=y] && INET [=y]
Selects: NETWORK_SECMARK [=y]


What is this??? The try of NSA to spy Linux???
And of course the obvious question. Is Gentoo safe? Of course I have nothing to hide, but this don't mean that I like to have no personal life even on my own computer!!!!!!!
_________________
Compile The Universe
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2524
Location: UK

PostPosted: Fri Feb 14, 2014 5:21 pm    Post subject: Reply with quote

Please educate yourself instead of immediately launching into paranoid ranting and raving.

Given that it's been in every mainline kernel for a decade, and the code has been open-source for close to 1.5 decades, someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad.
Back to top
View user's profile Send private message
sk8harddiefast
Guru
Guru


Joined: 15 Feb 2009
Posts: 335
Location: athens

PostPosted: Fri Feb 14, 2014 5:36 pm    Post subject: Reply with quote

Just Because I come from BSD I am a little cautious about NSA and Linux because I heard a lot about backdoors on kernel etc.
So is better to enable this or not?
_________________
Compile The Universe
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2652

PostPosted: Fri Feb 14, 2014 6:52 pm    Post subject: Reply with quote

No. Or at least not without learning a lot more about it, first. I would suggest starting by looking into Hardened Gentoo. They have other hardening schemes besides SELinux.

SELinux is a very complicated thing. They've made a lot of progress on setting up policies to start with, but it's still complex, and not to be entered without at least some knowledge.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Sat Feb 15, 2014 5:45 pm    Post subject: Reply with quote

Quote:
Just Because I come from BSD I am a little cautious about NSA and Linux because I heard a lot about backdoors on kernel etc

BSD :wink:

Grsecurity will be better option for you.
Back to top
View user's profile Send private message
creaker
l33t
l33t


Joined: 14 Jul 2012
Posts: 651

PostPosted: Sat Feb 15, 2014 11:06 pm    Post subject: Reply with quote

Ant P. wrote:
... someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad.


As you know, a million mediocre programmers will not replace a single genius programmer. Million ordinary developers will not notice a trap set by a genius. That's why he is a genius.
The fact that SELinux is open source means nothing in terms of transparency and safety. If it wouldn't be possible to hide backdoors in open source code, NSA wouldn't ask Torvalds for embedding their crap into kernel. Dual-use code (its secret part) always can be hide from prying eyes, especially in a such complicated matter as SELinux.
The openness of the code helps to detect unintended vulnerabilities that are not hidden and lie on the surface, in contrast to the carefully hidden backdoors.

sk8harddiefast wrote:

So is better to enable this or not?

As for me, SELinux will be the last thing I would enable at my desktop
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2652

PostPosted: Sun Feb 16, 2014 1:15 am    Post subject: Reply with quote

I'll say it again. Forget the NSA for the moment. SELinux is incredibly complex. Don't "casually activate it" in your kernel unless you at least know what an "SELinux policy" is and have one either installed or ready for installation, and have read the documentation to know what the correct sequence is. (Because I haven't.)
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
i92guboj
Moderator
Moderator


Joined: 30 Nov 2004
Posts: 10125
Location: Córdoba (Spain)

PostPosted: Sun Feb 16, 2014 9:53 am    Post subject: Re: NSA SELinux Support??? Reply with quote

sk8harddiefast wrote:
Trying to configure my kernel I see on Security section this:

What is this??? The try of NSA to spy Linux???
And of course the obvious question. Is Gentoo safe? Of course I have nothing to hide, but this don't mean that I like to have no personal life even on my own computer!!!!!!!


Ugh, I've never looked into the code and, even if I did, I'm 98% sure I wouldn't completely understand it because I suck at crypto and that stuff. But it's an easy question: you don't want it, you don't use it. The code might be as evil as Hitler, but the kernel developers are the one to integrate it into the build tree, and they truly make sure that if you disable a code path, then that code is not compiled, and so, it can't run. And so, you are safe from the NSA evil-ness.

As for the evil itself... well... on one side, I tend to agree that if something wrong was there, it should have been disclosed by now. That code wasn't introduced yesterday, it's been there for long, and it's certainly been there in all the Linuxes you've tried, not just Gentoo.

On the other side, I believe that, like in quantum physics, you can never be 100% sure. If this was an evident backdoor that has gone unnoticed for a decade even being evident, then it wouldn't be the first at all.

Anyway... what does an NSA backdoor look like?!? :twisted:
_________________
Gentoo Handbook | My website
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Tue Mar 25, 2014 8:23 am    Post subject: Reply with quote

creaker wrote:
Ant P. wrote:
... someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad.


As you know, a million mediocre programmers will not replace a single genius programmer. Million ordinary developers will not notice a trap set by a genius. That's why he is a genius.
The fact that SELinux is open source means nothing in terms of transparency and safety. If it wouldn't be possible to hide backdoors in open source code, NSA wouldn't ask Torvalds for embedding their crap into kernel. Dual-use code (its secret part) always can be hide from prying eyes, especially in a such complicated matter as SELinux.
The openness of the code helps to detect unintended vulnerabilities that are not hidden and lie on the surface, in contrast to the carefully hidden backdoors.

sk8harddiefast wrote:

So is better to enable this or not?

As for me, SELinux will be the last thing I would enable at my desktop

The above is very true, and very correct.
But what if some of you people, said that you
"do think NSA is hacking people"...
I mean, don't even think of saying that the NSA is tapping the whole world? They'd send a killer to kill you like they (well some of the other agencies, but that's the same kind) killed Michael Hastings... R.I.P, Michael...
Somebody somewhere said "NSA is hacking people" and there were a bunch of trolls upon him and went off the wall, straight!...
Sorry for my bitterness.
But I would actually like to ask you people, pls. what happened to the Grsecurity documentation on www.gentoo.org ?
There used to be ample!
Now, do you see what I see when you open:
http://www.gentoo.org/proj/en/hardened/roadmap.xml
I mean, just a few links in bottom, and e.g. the quickstart available only as PDF, while I remembere very well it was a great document that opened at least a dozen Grsecurity/Pax related documents?
Also, what happened to hardened sources?
I mean, I have been trying to reinstall Gentoo, and in the kernel, the hardened stage3 one downloaded, all is SELinux by default...
Actually it could have to do something with the change in leadership, couldn't it?
What's the story of Zach Medic leaving? I'm not familiar really... Is it public somewhere for reading?
Could anybody give a hand, I mean pitch in with a little research and contacting aroud, let's try and get Anthony Basile (IIRC he is the author of TinHat), to maybe revert this, what I regard as: ruining of Gentoo... Well, I mean, pls. people, give us those documents back before public eyes! There was a slew of documentation on Grsecurity/Pax and was being rapidly developed, on gentoo.org, yes, on gentoo.org, I think maybe one year ago, but I'm not good at precisely remembering of times...

#####################################################
I can't do much, I have had serious damage and am in
overwork mode...
#####################################################

My troubles go way back, some only I have managed to document:

"grsec: halting the system due to suspicious kernel crash"
http://forums.grsecurity.net/viewtopic.php?f=3&t=3709

Here at forums.gentoo also my troubles have gone for long now:

"System attacked, Konqueror went on window-popping spree!"
http://forums.gentoo.org/viewtopic-t-905472.html

If Grsecurity were not viable in Gentoo, Gentoo will become just nice looking crap, nothing else.

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1242
Location: 42.68n 85.41w

PostPosted: Tue Mar 25, 2014 12:36 pm    Post subject: Reply with quote

http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Tue Mar 25, 2014 1:42 pm    Post subject: Reply with quote

666threesixes666 wrote:
http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg

That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.

Are there really so few people who understand the severity of these issues?

Documentation that was, I reapeat, ample and reliable, on Grsecurity, gone to /dev/null?

And no one cares?

Miroslav Rovis
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1242
Location: 42.68n 85.41w

PostPosted: Tue Mar 25, 2014 1:54 pm    Post subject: Reply with quote

my method of security is to have nothing compromising or important in the first place. its a picture of tin hats. im with ant p on this one, if it were compromising, people would of noticed by now. there are methods to firewall all in & out traffic. ufw & ufw-frontends show traffic logs. check ip addresses online against NSA ips.
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
blueness
Developer
Developer


Joined: 25 Nov 2009
Posts: 31
Location: Buffalo, NY

PostPosted: Tue Mar 25, 2014 2:14 pm    Post subject: Reply with quote

miroR wrote:
666threesixes666 wrote:
http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg

That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.

Are there really so few people who understand the severity of these issues?

Documentation that was, I reapeat, ample and reliable, on Grsecurity, gone to /dev/null?

And no one cares?

Miroslav Rovis


I don't like documenting. But have a look at: https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart There are also related links at the bottom. If you find stuff that's wrong or incomplete, then add it to the wiki.
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Tue Mar 25, 2014 2:28 pm    Post subject: Reply with quote

blueness wrote:
miroR wrote:
666threesixes666 wrote:
http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg

That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.

Are there really so few people who understand the severity of these issues?

Documentation that was, I reapeat, ample and reliable, on Grsecurity, gone to /dev/null?

And no one cares?

Miroslav Rovis


I don't like documenting. But have a look at: https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart There are also related links at the bottom. If you find stuff that's wrong or incomplete, then add it to the wiki.


Thank you, good Gentoo dev, sincerely!

Now, while I was in the process of writing my mail below, I got this reply form Anthony, but I can not rewrite all that I prepared for posting.

So just keep that fact in mind, that I wrote the most part below, before this reply.

===========================================


666threesixes666 wrote:
my method of security is to have nothing compromising or important in the first place. its a picture of tin hats. im with ant p on this one, if it were compromising, people would of noticed by now. there are methods to firewall all in & out traffic. ufw & ufw-frontends show traffic logs. check ip addresses online against NSA ips.

I respect your stance. Pls. respect mine, you keep with SELinux, no problem for me, I keep against SELinux, no problem for you must be. Thanx!

Back to the issue of Grsecurity documentation.
I was saying, we need to know more on the issue of documentation basically retrograded from what it was.

I was also saying that: "I can't do much..." and I gave the reson...

pls. find on both above.

But I have to do something about this.... I'm out of Gentoo, if Grsecurity is beaten up so much in the new state of affairs in Gentoo, under the (if that is the case, information missing) new leadership, that it is not viable for non-experts like me, and given the enormity of the documentation missing (since when, did it disappear gradually or all of a suddan, information again missing)...

So, if I have to be out of Gentoo, which, for me, and I believe than I am allowed to deem so, Gentoo is pure nice-looking crap, for me, I repeat, if I can't get Grsecurity to work on it...

And by this time, I am pretty used to Gentoo... I've benefited a lot from GNU/Linux in general, and Gentoo has been a flavor that I gew inamored of...

And now, the default in the Hardened kernel, the SELinux, which, IMO, and I am glad that the Superpower does has that much democracy left, for me to be able to state the following claim: which, IMO (sic!) gives newbies wholesale to NSA's spying.

Yes, exactly so, and exactly in my opinion. IMO.
Pls. notice what creaker said above. Read it twice, or more times.
That is soooo truuee.

IMO: Dear leader Linus is a genius, but he is ruining the beauty of the free world which GNU/Linux, the OS which has even been named after him... He has been ruining it ever since he introduced SELinux in it. IMO.

In my opinion.

Pls. keep up that hated by those who want privacy and know that there isn't any with ith, SELinux as option, if you really want, dear Gentoo GNU/Linux leaders, keep it as option, if you really have to.... Keep it, but...

Keep it, but don't prevent poor users like me (it's in the Gospel sense of the word) to install the privacy defending Grsecutiry/Pax-patched kernel into our boxes, by preventing us the access to the information on Grsecurity!

Don't do _that_!

Because that is against any moral codex, that is certainly against GNU as licence, that is (information missing, haven't tead it) very probably against the Statute of the Gentoo Foundation!

Where is that documentation? Does anyone have any backups anywhere? Post them, please!

I also sent a message to Anthony G. Basile

=========================================
And it was at this point that I noticed he replied to my mail here, publically.

Thanks again. Pls. keep up maintaing Grsecurity/Pax patches for the Genius's kernel. And if only he reverted to the ways of the good people!

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Tue Mar 25, 2014 3:11 pm    Post subject: Reply with quote

I'm oldish, not fresh as most of the readers.
But still, it's not my inability to search!
You know what I think it is?
And those who are reading right now can find out it is so very probably easily...
No, it's not. But let me tell you what I thought it was.
I thought it was just the word grsecurity was missing from the terms that https://wiki.gentoo.org/i would readily find those articles. and instead only Grsecurity2 was there...
No, that wasn't it, because it now, now that I had already opened one of the pages, now it returned a whole buch of it...
Upon entering the term "grsecurity"....
IMO:
Gentoo has always had a strong team of Grsecurity-patching kernel developers, which, let me say it for the newbies, is basically, giving the kernel most of it's privacy back, thanks to Spender and Pax Team, two geniuses like our Dear Leader Linus gone NSA loving, who are, along with a team around them, righting out some of the backdoors from Linus's kernel...
IMO.
It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,
IMO:
plain censorship
IMO.
Don't do _that_ either. You ruined so much of my time, but at least I've drawn attention to more newbies what SELinunx really is, hopefully. I don't live selfishly. I want privacy for all good people!
You ruined so much of my time, because I searched correctly, and the Wiki didn't give me back other than the roadmap page, just as I reported above.
I can't prove what I stated above. Due to downtime of some of my system I'm underresourced. But I did see with my own two eyes that Wiki,gentoo.org upon my first search this day for the term "grsecurity" didn't give me much, and didn't give me the sufficient resources that there still are, and which it is now giving back to me upon the exact same search of mine.
It could have been an error, but go and study my posts on Debian Forums and on Grsecurity Forums about Debian attitude toward Grsecurity and find out about "errors".... Just search for my name. Plenty ther, unless, of course, your searches are censored on Debian Forums, as well. Not on Grsecurity Forums, not that...

Due to some strong statements that I posted, I need to be back to see if any replies will be there for my answering back, but I am strapped for time, so I'll be back only in maximum of a few hours, and then I must be off.

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
TomWij
Developer
Developer


Joined: 04 Jul 2012
Posts: 1551

PostPosted: Tue Mar 25, 2014 7:04 pm    Post subject: Reply with quote

miroR wrote:
It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,
IMO:
plain censorship
IMO.
Don't do _that_ either.


It is made quite visible for example in https://wiki.gentoo.org/wiki/Hardened/FAQ where you can then go to the quickstart and even find more resources at the bottom of the quickstart in https://wiki.gentoo.org/wiki/Project:Hardened/Grsecurity2_Quickstart#Resources where I think there is a lot more to read, as a wiki intends to cover those things in the context of Gentoo whilst not copying the entire upstream documentation; there's no censorship afaik (otherwise you would find it in Google Cache, way back machine, ...), but it might be the case that older versions are replaced by newer versions given that the Gentoo maintainers move towards moving the new version and deprecate and/or remove the old version.
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Tue Mar 25, 2014 7:57 pm    Post subject: Reply with quote

TomWij wrote:
miroR wrote:
It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,
IMO:
plain censorship
IMO.
Don't do _that_ either.


It is made quite visible for example in https://wiki.gentoo.org/wiki/Hardened/FAQ where you can then go to the quickstart and even find more resources at the bottom of the quickstart in https://wiki.gentoo.org/wiki/Project:Hardened/Grsecurity2_Quickstart#Resources where I think there is a lot more to read, as a wiki intends to cover those things in the context of Gentoo whilst not copying the entire upstream documentation; there's no censorship afaik (otherwise you would find it in Google Cache, way back machine, ...), but it might be the case that older versions are replaced by newer versions given that the Gentoo maintainers move towards moving the new version and deprecate and/or remove the old version.

All is fine. Now.
I won't go into any more details on this.
Thanks for caring!
I might be back to report how I reinstalled Gentoo from scratch. A non-expert as me, and having been under attack, as documented (there are links above), who knows if I'll even make it at all....
But Gentoo might continue to be my favorite GNU/Linux as well, if I do make it...
Namely, the breaking into my systems that I documented in the link in my first post in this topic, above, are not all, and one of my Gentoo boxes is basically now out of use on the SOHO, only as standalone, and it's... a crippled SOHO...
But I'm digressing now, somewhat...
Pls. keep Gentoo free, privacy-viable and kind as it has been for the most of its lifetime so far!
Miroslav Rovis
Zagreb, Croatia,
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
miroR
Guru
Guru


Joined: 05 Mar 2008
Posts: 417

PostPosted: Fri Mar 28, 2014 9:17 am    Post subject: Reply with quote

There is somewhat of a follow-up, as far as privacy-viable Gentoo goes, here:
Offline Install, use emerge-webrsync to check and log?
http://forums.gentoo.org/viewtopic-t-987268.html
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum