Are there any SELinux tools available for Cygwin?

Are there any SELinux tools available for Cygwin?

[PolarStorm]

Hi,
I'm looking into remotely managing a few machines that are running various
SELinux flavours.
But the management of SELinux and the audit.log files often requires tools
such as:

audit2allow
audit2why
semanage
etc.

Some of this code can be found here: 
http://userspace.selinuxproject.org/trac/browser/libselinux/src
http://userspace.selinuxproject.org/trac/browser/policycoreutils

Are there any Cygwin tools or packages made, that I can use to get this
functionality?

I want to clarify that I am fresh out of the box on using SElinux and that
I'm obviously 
NOT looking to use SELinux on Cygwin, but would like to use the various
policy editing 
and generators, and the audit log file analyzers, on my local Cygwin
machine.

Thanks in advance. 





--
View this message in context: http://cygwin.1069669.n5.nabble.com/Are-there-any-SELinux-tools-available-for-Cygwin-tp108952.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Warren Young]

On 5/30/2014 03:05, PolarStorm wrote:
>
> I'm obviously
> NOT looking to use SELinux on Cygwin, but would like to use the various
> policy editing
> and generators, and the audit log file analyzers, on my local Cygwin
> machine.

There is an excellent tool for managing SELinux on remote machines, and 
it is packaged for Cygwin.  It is called ssh.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[PolarStorm]

Warren Young wrote
> There is an excellent tool for managing SELinux on remote machines, and 
> it is packaged for Cygwin.  It is called ssh.

Perhaps you have a package to prevent idiots from answering here as well?
Install it please.



--
View this message in context: http://cygwin.1069669.n5.nabble.com/Are-there-any-SELinux-tools-available-for-Cygwin-tp108952p108975.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Robert Pendell]

On Sat, May 31, 2014 at 4:40 AM, PolarStorm wrote:
> Warren Young wrote
>> There is an excellent tool for managing SELinux on remote machines, and
>> it is packaged for Cygwin.  It is called ssh.
>
> Perhaps you have a package to prevent idiots from answering here as well?
> Install it please.
>
>
>

There is no need for hostility here.  Anyways back on topic.

I personally don't see a point in building userland SELinux tools for
Cygwin.  As Warren pointed out already it may be simpler to just ssh
into the box in question and generate it from there.  I took a look
and building the tools may be quite a task.  It looks like at least a
few dependencies may need to be built.  I have not attempted this
myself but you are welcome to do so.

With that in mind a quick look in the packages list (available on the
website) or via an internet search (eg: google or bing) would of
revealed that none exist yet.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[PolarStorm]

Robert Pendell-5 wrote
> I personally don't see a point in building userland SELinux tools for
> Cygwin.  As Warren pointed out already it may be simpler to just ssh
> into the box in question and generate it from there.  I took a look
> and building the tools may be quite a task.  It looks like at least a
> few dependencies may need to be built.  I have not attempted this
> myself but you are welcome to do so.

Thanks for reply.
That is obvious, and why I asked about this in the first place. I'd like to 
refrain from having to run long remote sessions on each machine while 
experimentally editing all the various policy files. Downloading all files
in
one go and doing analysis and editing locally, is why I wanted to do this 
on Cygwin. 

The recent popularity of SELinux enabled distributions, will certainly
ensure 
that more people will get involved with various SELinux policies. Another 
point is that there seem to exist ~3 different "flavors" of SELinux 
implementations, where the last addition is the SEAndroid by Google. 

https://android.googlesource.com/platform/external/sepolicy/

As the next generation (>=KitKat) of Android mobile devices will all be 
distributed with SEAndroid in Enforced mode, by default. These tools
will be exponentially of more interest to developers, as local editing
on mobile devices are either crippled, poorly implemented and tested, 
or extremely inconvenient. 


> With that in mind a quick look in the packages list (available on the
> website) or via an internet search (eg: google or bing) would of
> revealed that none exist yet.

Which is why I posted and asked here. I was hoping someone else would 
have been interested enough to have tried to build these. Building these
by myself would indeed be something way above my head, especially as
I am very new to -- and still learning proper SELinux usage.  






--
View this message in context: http://cygwin.1069669.n5.nabble.com/Are-there-any-SELinux-tools-available-for-Cygwin-tp108952p108983.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Warren Young]

On 5/31/2014 12:33, PolarStorm wrote:
> I'd like to
> refrain from having to run long remote sessions on each machine while
> experimentally editing all the various policy files. Downloading all files
> in
> one go and doing analysis and editing locally, is why I wanted to do this
> on Cygwin.

How is that easier?  You have to test each experimental edit, and that 
requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.

Personally, if I were still experimenting, I'd spin up a VM configured 
like the system I intended to modify, do my work on it, then ship a 
completed policy set to the remote system.  Linux VM how-tos are 
off-topic here, though.

> Another
> point is that there seem to exist ~3 different "flavors" of SELinux
> implementations,

What point are you making here, exactly?  Do you want Cygwin to emulate 
one of them, or all of them, or none of them?

I think all three choices are doomed, each for a different reason.

> As the next generation (>=KitKat) of Android mobile devices will all be
> distributed with SEAndroid in Enforced mode, by default. These tools
> will be exponentially of more interest to developers, as local editing
> on mobile devices are either crippled, poorly implemented and tested,
> or extremely inconvenient.

That's why the Android SDK includes an emulator, which is a VM, just as 
I described above.

Are you aware that some of the text editors ported to Cygwin can edit a 
file over SSH?  For instance, vim:

    vim scp://user@remotehost:password/path/to/file

The edit proceeds at local speeds.  A save takes a remote file upload, 
but you had to do that anyway.

> I was hoping someone else would
> have been interested enough to have tried to build these.

You aren't going to find SystemTap or iptables tools for Cygwin, either? 
  Why?  Same reason: you need a running Linux kernel to make any use of 
them, and Cygwin is not a Linux kernel.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[PolarStorm]

Warren Young wrote
> On 5/31/2014 12:33, PolarStorm wrote:
>> I'd like to
>> refrain from having to run long remote sessions on each machine while
>> experimentally editing all the various policy files. Downloading all
>> files
>> in
>> one go and doing analysis and editing locally, is why I wanted to do this
>> on Cygwin.
> 
> How is that easier?  You have to test each experimental edit, and that 
> requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.
> 
> Personally, if I were still experimenting, I'd spin up a VM configured 
> like the system I intended to modify, do my work on it, then ship a 
> completed policy set to the remote system.  Linux VM how-tos are 
> off-topic here, though.

Yes, I'm used to VM's. This is probably the way I'll end up doing it.  
It's to laborious for me to try to compile all these tools on Cygwin.
In addition, I wouldn't know what would be compatible with what. 


>> Another
>> point is that there seem to exist ~3 different "flavors" of SELinux
>> implementations,
> 
> What point are you making here, exactly?  Do you want Cygwin to emulate 
> one of them, or all of them, or none of them?
> I think all three choices are doomed, each for a different reason.

In an ideal world, I would have asked to be able to deal with all of them,
but at this point "any one" could also be helpful.

But it would be more interesting to hear why you think all of them are
"doomed"? 

Thanks for taking the time to give a proper answer, I very much appreciate
it. 

Best Wishes,



--
View this message in context: http://cygwin.1069669.n5.nabble.com/Are-there-any-SELinux-tools-available-for-Cygwin-tp108952p109064.html
Sent from the Cygwin list mailing list archive at Nabble.com.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Andrey Repin]

Greetings, PolarStorm!

> But it would be more interesting to hear why you think all of them are
> "doomed"? 

> Warren Young wrote
>> requires a Linux kernel running SELinux.  Cygwin is not a Linux kernel.

It would be advantageous to actually read messages, I think.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 03.06.2014, <14:29>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Warren Young]

On 6/3/2014 02:58, PolarStorm wrote:
>
> But it would be more interesting to hear why you think all of them are
> "doomed"?

Okay.

Option 1, Cygwin supports its own flavor of SELinux, incompatible with 
all others.  Do I really need to tell you why this is a bad idea?

Option 2, Cygwin picks one of the three preexisting flavors to emulate. 
  Most likely reason to fail: Windows's MAC system -- such as it is -- 
doesn't work even vaguely like SELinux, so Cygwin cannot emulate SELinux 
in terms of Windows kernel mechanisms.  The best it could do is provide 
a soft emulation that only works among programs based on Cygwin, and 
then only to the extent that they play by the rules and make all their 
I/O calls via cygwin1.dll.  As soon as they bypass the Cygwin DLL, the 
benefits of SELinux go away.  You do know what the M in MAC stands for, 
right?  It'd be like using velvet ropes to fence off a preschool playground.

Option 3, emulate all preexisting SELinux flavors.  Most likely reason 
to fail: Take Option 2 and multiply it by 3.  Then ask yourself who will 
do all that low-value work.

> Thanks for taking the time to give a proper answer, I very much appreciate
> it.

My first post was a proper answer.  It gave you a perfectly legitimate 
solution to the problem.  The fact that you didn't *like* the answer 
does not rob it of legitimacy.

One of the biggest mistakes people make when asking for help is 
specifying the solution in advance.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Are there any SELinux tools available for Cygwin?

[Christopher Faylor]

On Tue, Jun 03, 2014 at 01:20:26PM -0600, Warren Young wrote:
>One of the biggest mistakes people make when asking for help is 
>specifying the solution in advance.

Amen.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple