Are there any SELinux tools available for Cygwin?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Are there any SELinux tools available for Cygwin?

PolarStorm
Hi,
I'm looking into remotely managing a few machines that are running various SELinux flavours.
But the management of SELinux and the audit.log files often requires tools such as:

audit2allow
audit2why
semanage
etc.

Some of this code can be found here:
http://userspace.selinuxproject.org/trac/browser/libselinux/src
http://userspace.selinuxproject.org/trac/browser/policycoreutils

Are there any Cygwin tools or packages made, that I can use to get this functionality?

I want to clarify that I am fresh out of the box on using SElinux and that I'm obviously
NOT looking to use SELinux on Cygwin, but would like to use the various policy editing
and generators, and the audit log file analyzers, on my local Cygwin machine.

Thanks in advance.

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Warren Young
On 5/30/2014 03:05, PolarStorm wrote:
>
> I'm obviously
> NOT looking to use SELinux on Cygwin, but would like to use the various
> policy editing
> and generators, and the audit log file analyzers, on my local Cygwin
> machine.

There is an excellent tool for managing SELinux on remote machines, and
it is packaged for Cygwin.  It is called ssh.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

PolarStorm
Warren Young wrote
There is an excellent tool for managing SELinux on remote machines, and
it is packaged for Cygwin.  It is called ssh.
Perhaps you have a package to prevent idiots from answering here as well? Install it please.
Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Robert Pendell-5
On Sat, May 31, 2014 at 4:40 AM, PolarStorm wrote:
> Warren Young wrote
>> There is an excellent tool for managing SELinux on remote machines, and
>> it is packaged for Cygwin.  It is called ssh.
>
> Perhaps you have a package to prevent idiots from answering here as well?
> Install it please.
>
>
>

There is no need for hostility here.  Anyways back on topic.

I personally don't see a point in building userland SELinux tools for
Cygwin.  As Warren pointed out already it may be simpler to just ssh
into the box in question and generate it from there.  I took a look
and building the tools may be quite a task.  It looks like at least a
few dependencies may need to be built.  I have not attempted this
myself but you are welcome to do so.

With that in mind a quick look in the packages list (available on the
website) or via an internet search (eg: google or bing) would of
revealed that none exist yet.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

PolarStorm
Robert Pendell-5 wrote
I personally don't see a point in building userland SELinux tools for
Cygwin.  As Warren pointed out already it may be simpler to just ssh
into the box in question and generate it from there.  I took a look
and building the tools may be quite a task.  It looks like at least a
few dependencies may need to be built.  I have not attempted this
myself but you are welcome to do so.
Thanks for reply.
That is obvious, and why I asked about this in the first place. I'd like to
refrain from having to run long remote sessions on each machine while
experimentally editing all the various policy files. Downloading all files in
one go and doing analysis and editing locally, is why I wanted to do this
on Cygwin.

The recent popularity of SELinux enabled distributions, will certainly ensure
that more people will get involved with various SELinux policies. Another
point is that there seem to exist ~3 different "flavors" of SELinux
implementations, where the last addition is the SEAndroid by Google.

https://android.googlesource.com/platform/external/sepolicy/

As the next generation (>=KitKat) of Android mobile devices will all be
distributed with SEAndroid in Enforced mode, by default. These tools
will be exponentially of more interest to developers, as local editing
on mobile devices are either crippled, poorly implemented and tested,
or extremely inconvenient.

With that in mind a quick look in the packages list (available on the
website) or via an internet search (eg: google or bing) would of
revealed that none exist yet.
Which is why I posted and asked here. I was hoping someone else would
have been interested enough to have tried to build these. Building these
by myself would indeed be something way above my head, especially as
I am very new to -- and still learning proper SELinux usage.  


Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Christopher Faylor-8
In reply to this post by PolarStorm
On Sat, May 31, 2014 at 01:40:53AM -0700, PolarStorm wrote:
>Warren Young wrote
>> There is an excellent tool for managing SELinux on remote machines, and
>> it is packaged for Cygwin.  It is called ssh.
>
>Perhaps you have a package to prevent idiots from answering here as well?
>Install it please.

Please abstain from name-calling.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Warren Young
In reply to this post by PolarStorm
On 5/31/2014 12:33, PolarStorm wrote:
> I'd like to
> refrain from having to run long remote sessions on each machine while
> experimentally editing all the various policy files. Downloading all files
> in
> one go and doing analysis and editing locally, is why I wanted to do this
> on Cygwin.

How is that easier?  You have to test each experimental edit, and that
requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.

Personally, if I were still experimenting, I'd spin up a VM configured
like the system I intended to modify, do my work on it, then ship a
completed policy set to the remote system.  Linux VM how-tos are
off-topic here, though.

> Another
> point is that there seem to exist ~3 different "flavors" of SELinux
> implementations,

What point are you making here, exactly?  Do you want Cygwin to emulate
one of them, or all of them, or none of them?

I think all three choices are doomed, each for a different reason.

> As the next generation (>=KitKat) of Android mobile devices will all be
> distributed with SEAndroid in Enforced mode, by default. These tools
> will be exponentially of more interest to developers, as local editing
> on mobile devices are either crippled, poorly implemented and tested,
> or extremely inconvenient.

That's why the Android SDK includes an emulator, which is a VM, just as
I described above.

Are you aware that some of the text editors ported to Cygwin can edit a
file over SSH?  For instance, vim:

    vim scp://user@remotehost:password/path/to/file

The edit proceeds at local speeds.  A save takes a remote file upload,
but you had to do that anyway.

> I was hoping someone else would
> have been interested enough to have tried to build these.

You aren't going to find SystemTap or iptables tools for Cygwin, either?
  Why?  Same reason: you need a running Linux kernel to make any use of
them, and Cygwin is not a Linux kernel.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

PolarStorm
Warren Young wrote
On 5/31/2014 12:33, PolarStorm wrote:
> I'd like to
> refrain from having to run long remote sessions on each machine while
> experimentally editing all the various policy files. Downloading all files
> in
> one go and doing analysis and editing locally, is why I wanted to do this
> on Cygwin.

How is that easier?  You have to test each experimental edit, and that
requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.

Personally, if I were still experimenting, I'd spin up a VM configured
like the system I intended to modify, do my work on it, then ship a
completed policy set to the remote system.  Linux VM how-tos are
off-topic here, though.
Yes, I'm used to VM's. This is probably the way I'll end up doing it.  
It's to laborious for me to try to compile all these tools on Cygwin.
In addition, I wouldn't know what would be compatible with what.

> Another
> point is that there seem to exist ~3 different "flavors" of SELinux
> implementations,

What point are you making here, exactly?  Do you want Cygwin to emulate
one of them, or all of them, or none of them?
I think all three choices are doomed, each for a different reason.
In an ideal world, I would have asked to be able to deal with all of them,
but at this point "any one" could also be helpful.

But it would be more interesting to hear why you think all of them are "doomed"?

Thanks for taking the time to give a proper answer, I very much appreciate it.

Best Wishes,
Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Andrey Repin
Greetings, PolarStorm!

> But it would be more interesting to hear why you think all of them are
> "doomed"?

> Warren Young wrote
>> requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.

It would be advantageous to actually read messages, I think.


--
WBR,
Andrey Repin ([hidden email]) 03.06.2014, <14:29>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Warren Young
In reply to this post by PolarStorm
On 6/3/2014 02:58, PolarStorm wrote:
>
> But it would be more interesting to hear why you think all of them are
> "doomed"?

Okay.

Option 1, Cygwin supports its own flavor of SELinux, incompatible with
all others.  Do I really need to tell you why this is a bad idea?

Option 2, Cygwin picks one of the three preexisting flavors to emulate.
  Most likely reason to fail: Windows's MAC system -- such as it is --
doesn't work even vaguely like SELinux, so Cygwin cannot emulate SELinux
in terms of Windows kernel mechanisms.  The best it could do is provide
a soft emulation that only works among programs based on Cygwin, and
then only to the extent that they play by the rules and make all their
I/O calls via cygwin1.dll.  As soon as they bypass the Cygwin DLL, the
benefits of SELinux go away.  You do know what the M in MAC stands for,
right?  It'd be like using velvet ropes to fence off a preschool playground.

Option 3, emulate all preexisting SELinux flavors.  Most likely reason
to fail: Take Option 2 and multiply it by 3.  Then ask yourself who will
do all that low-value work.

> Thanks for taking the time to give a proper answer, I very much appreciate
> it.

My first post was a proper answer.  It gave you a perfectly legitimate
solution to the problem.  The fact that you didn't *like* the answer
does not rob it of legitimacy.

One of the biggest mistakes people make when asking for help is
specifying the solution in advance.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: Are there any SELinux tools available for Cygwin?

Christopher Faylor-8
On Tue, Jun 03, 2014 at 01:20:26PM -0600, Warren Young wrote:
>One of the biggest mistakes people make when asking for help is
>specifying the solution in advance.

Amen.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple