# NSA SELinux Support???

## sk8harddiefast

Trying to configure my kernel I see on Security section this:

```
NSA SELinux Support (SECURITY_SELINUX)

CONFIG_SECURITY_SELINUX:

This selects NSA Security-Enhanced Linux (SELinux).

You will also need a policy configuration and a labeled filesystem.

If you are unsure how to answer this question, answer N.

Symbol: SECURITY_SELINUX [=n]

Type : boolean

Prompt: NSA SELinux Support

Location:

-> Security options

Defined at security/selinux/Kconfig:1

Depends on: SECURITY_NETWORK [=y] && AUDIT [=y] && NET [=y] && INET [=y]

Selects: NETWORK_SECMARK [=y]

```

What is this??? The try of NSA to spy Linux???

And of course the obvious question. Is Gentoo safe? Of course I have nothing to hide, but this don't mean that I like to have no personal life even on my own computer!!!!!!!

----------

## Ant P.

Please educate yourself instead of immediately launching into paranoid ranting and raving.

Given that it's been in every mainline kernel for a decade, and the code has been open-source for close to 1.5 decades, someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad.

----------

## sk8harddiefast

Just Because I come from BSD I am a little cautious about NSA and Linux because I heard a lot about backdoors on kernel etc.

So is better to enable this or not?

----------

## depontius

No.  Or at least not without learning a lot more about it, first.  I would suggest starting by looking into Hardened Gentoo.  They have other hardening schemes besides SELinux.

SELinux is a very complicated thing.  They've made a lot of progress on setting up policies to start with, but it's still complex, and not to be entered without at least some knowledge.

----------

## Tractor Girl

 *Quote:*   

> Just Because I come from BSD I am a little cautious about NSA and Linux because I heard a lot about backdoors on kernel etc

 

BSD  :Wink: 

Grsecurity will be better option for you.

----------

## creaker

 *Ant P. wrote:*   

> ... someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad.

 

As you know, a million mediocre programmers will not replace a single genius programmer. Million ordinary developers will not notice a trap set by a genius. That's why he is a genius.

The fact that SELinux is open source means nothing in terms of transparency and safety. If it wouldn't be possible to hide backdoors in open source code, NSA wouldn't ask Torvalds for embedding their crap into kernel. Dual-use code (its secret part) always can be hide from prying eyes, especially in a such complicated matter as SELinux.

The openness of the code helps to detect unintended vulnerabilities that are not hidden and lie on the surface, in contrast to the carefully hidden backdoors.

 *sk8harddiefast wrote:*   

> 
> 
> So is better to enable this or not?
> 
> 

 

As for me, SELinux will be the last thing I would enable at my desktop

----------

## depontius

I'll say it again.  Forget the NSA for the moment.  SELinux is incredibly complex.  Don't "casually activate it" in your kernel unless you at least know what an "SELinux policy" is and have one either installed or ready for installation, and have read the documentation to know what the correct sequence is.  (Because I haven't.)

----------

## i92guboj

 *sk8harddiefast wrote:*   

> Trying to configure my kernel I see on Security section this:
> 
> What is this??? The try of NSA to spy Linux???
> 
> And of course the obvious question. Is Gentoo safe? Of course I have nothing to hide, but this don't mean that I like to have no personal life even on my own computer!!!!!!!

 

Ugh, I've never looked into the code and, even if I did, I'm 98% sure I wouldn't completely understand it because I suck at crypto and that stuff. But it's an easy question: you don't want it, you don't use it. The code might be as evil as Hitler, but the kernel developers are the one to integrate it into the build tree, and they truly make sure that if you disable a code path, then that code is not compiled, and so, it can't run. And so, you are safe from the NSA evil-ness.

As for the evil itself... well... on one side, I tend to agree that if something wrong was there, it should have been disclosed by now. That code wasn't introduced yesterday, it's been there for long, and it's certainly been there in all the Linuxes you've tried, not just Gentoo. 

On the other side, I believe that, like in quantum physics, you can never be 100% sure. If this was an evident backdoor that has gone unnoticed for a decade even being evident, then it wouldn't be the first at all.

Anyway... what does an NSA backdoor look like?!?  :Twisted Evil: 

----------

## miroR

 *creaker wrote:*   

>  *Ant P. wrote:*   ... someone out of the millions of people who have used and read the code would have noticed by now if it was doing something bad. 
> 
> As you know, a million mediocre programmers will not replace a single genius programmer. Million ordinary developers will not notice a trap set by a genius. That's why he is a genius.
> 
> The fact that SELinux is open source means nothing in terms of transparency and safety. If it wouldn't be possible to hide backdoors in open source code, NSA wouldn't ask Torvalds for embedding their crap into kernel. Dual-use code (its secret part) always can be hide from prying eyes, especially in a such complicated matter as SELinux.
> ...

 

The above is very true, and very correct.

But what if some of you people, said that you

"do think NSA is hacking people"...

I mean, don't even think of saying that the NSA is tapping the whole world? They'd send a killer to kill you like they (well some of the other agencies, but that's the same kind) killed Michael Hastings... R.I.P, Michael...

Somebody somewhere said "NSA is hacking people" and there were a bunch of trolls upon him and went off the wall, straight!...

Sorry for my bitterness.

But I would actually like to ask you people, pls. what happened to the Grsecurity documentation on www.gentoo.org ?

There used to be ample!

Now, do you see what I see when you open:

http://www.gentoo.org/proj/en/hardened/roadmap.xml

I mean, just a few links in bottom, and e.g. the quickstart available only as PDF, while I remembere very well it was a great document that opened at least a dozen Grsecurity/Pax related documents?

Also, what happened to hardened sources?

I mean, I have been trying to reinstall Gentoo, and in the kernel, the hardened stage3 one downloaded, all is SELinux by default...

Actually it could have to do something with the change in leadership, couldn't it?

What's the story of Zach Medic leaving? I'm not familiar really... Is it public somewhere for reading?

Could anybody give a hand, I mean pitch in with a little research and contacting aroud, let's try and get Anthony Basile (IIRC he is the author of TinHat), to maybe revert this, what I regard as: ruining of Gentoo... Well, I mean, pls. people, give us those documents back before public eyes! There was a slew of documentation on Grsecurity/Pax and was being rapidly developed, on gentoo.org, yes, on gentoo.org, I think maybe one year ago, but I'm not good at precisely remembering of times...

#####################################################

I can't do much, I have had serious damage and am in

overwork mode...

#####################################################

My troubles go way back, some only I have managed to document:

"grsec: halting the system due to suspicious kernel crash"

http://forums.grsecurity.net/viewtopic.php?f=3&t=3709

Here at forums.gentoo also my troubles have gone for long now:

"System attacked, Konqueror went on window-popping spree!"

https://forums.gentoo.org/viewtopic-t-905472.html

If Grsecurity were not viable in Gentoo, Gentoo will become just nice looking crap, nothing else.

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## 666threesixes666

http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg

----------

## miroR

 *666threesixes666 wrote:*   

> http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg

 

That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.

Are there really so few people who understand the severity of these issues?

Documentation that was, I reapeat, ample and reliable, on Grsecurity, gone to /dev/null?

And no one cares?

Miroslav Rovis

----------

## 666threesixes666

my method of security is to have nothing compromising or important in the first place.  its a picture of tin hats.  im with ant p on this one, if it were compromising, people would of noticed by now.  there are methods to firewall all in & out traffic.  ufw & ufw-frontends show traffic logs.  check ip addresses online against NSA ips.

----------

## blueness

 *miroR wrote:*   

>  *666threesixes666 wrote:*   http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg 
> 
> That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.
> 
> Are there really so few people who understand the severity of these issues?
> ...

 

I don't like documenting.  But have a look at:  https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart   There are also related links at the bottom.   If you find stuff that's wrong or incomplete, then add it to the wiki.

----------

## miroR

 *blueness wrote:*   

>  *miroR wrote:*    *666threesixes666 wrote:*   http://www.godlikeproductions.com/sm/custom/b/d/nmsjtsnn.jpeg 
> 
> That opens nothing for me. But even if it did, I don't care if it has nothing to do with the issue of Grsecurity documentation that was lots of it on www.gentoo.org.
> 
> Are there really so few people who understand the severity of these issues?
> ...

 

Thank you, good Gentoo dev, sincerely!

Now, while I was in the process of writing my mail below, I got this reply form Anthony, but I can not rewrite all that I prepared for posting.

So just keep that fact in mind, that I wrote the most part below, before this reply.

===========================================

 *666threesixes666 wrote:*   

> my method of security is to have nothing compromising or important in the first place.  its a picture of tin hats.  im with ant p on this one, if it were compromising, people would of noticed by now.  there are methods to firewall all in & out traffic.  ufw & ufw-frontends show traffic logs.  check ip addresses online against NSA ips.

 

I respect your stance. Pls. respect mine, you keep with SELinux, no problem for me, I keep against SELinux, no problem for you must be. Thanx!

Back to the issue of Grsecurity documentation.

I was saying, we need to know more on the issue of documentation basically retrograded from what it was.

I was also saying that: "I can't do much..." and I gave the reson...

 pls. find on both above.

But I have to do something about this.... I'm out of Gentoo, if Grsecurity is beaten up so much in the new state of affairs in Gentoo, under the (if that is the case, information missing) new leadership, that it is not viable for non-experts like me, and given the enormity of the documentation missing (since when, did it disappear gradually or all of a suddan, information again missing)...

So, if I have to be out of Gentoo, which, for me, and I believe than I am allowed to deem so, Gentoo is pure nice-looking crap, for me, I repeat, if I can't get Grsecurity to work on it...

And by this time, I am pretty used to Gentoo... I've benefited a lot from GNU/Linux in general, and Gentoo has been a flavor that I gew inamored of...

And now, the default in the Hardened kernel, the SELinux, which, IMO, and I am glad that the Superpower does has that much democracy left, for me to be able to state the following claim: which, IMO (sic!) gives newbies wholesale to NSA's spying.

Yes, exactly so, and exactly in my opinion. IMO.

Pls. notice what creaker said above. Read it twice, or more times.

That is soooo truuee.

IMO: Dear leader Linus is a genius, but he is ruining the beauty of the free world which GNU/Linux, the OS which has even been named after him... He has been ruining it ever since he introduced SELinux in it. IMO.

In my opinion.

Pls. keep up that hated by those who want privacy and know that there isn't any with ith, SELinux as option, if you really want, dear Gentoo GNU/Linux leaders, keep it as option, if you really have to.... Keep it, but...

Keep it, but don't prevent poor users like me (it's in the Gospel sense of the word) to install the privacy defending Grsecutiry/Pax-patched kernel into our boxes, by preventing us the access to the information on Grsecurity!

Don't do _that_!

Because that is against any moral codex, that is certainly against GNU as licence, that is (information missing, haven't tead it) very probably against the Statute of the Gentoo Foundation!

Where is that documentation? Does anyone have any backups anywhere? Post them, please!

I also sent a message to Anthony G. Basile

=========================================

And it was at this point that I noticed he replied to my mail here, publically.

Thanks again. Pls. keep up maintaing Grsecurity/Pax patches for the Genius's kernel. And if only he reverted to the ways of the good people!

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

I'm oldish, not fresh as most of the readers.

But still, it's not my inability to search!

You know what I think it is?

And those who are reading right now can find out it is so very probably easily...

No, it's not. But let me tell you what I thought it was.

I thought it was just the word grsecurity was missing from the terms that https://wiki.gentoo.org/i would readily find those articles. and instead only Grsecurity2 was there...

No, that wasn't it, because it now, now that I had already opened one of the pages, now it returned a whole buch of it...

Upon entering the term "grsecurity"....

IMO:

Gentoo has always had a strong team of Grsecurity-patching kernel developers, which, let me say it for the newbies, is basically, giving the kernel most of it's privacy back, thanks to Spender and Pax Team, two geniuses like our Dear Leader Linus gone NSA loving, who are, along with a team around them, righting out some of the backdoors from Linus's kernel...

IMO.

It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,

IMO:

plain censorship

IMO.

Don't do _that_ either. You ruined so much of my time, but at least I've drawn attention to more newbies what SELinunx really is, hopefully. I don't live selfishly. I want privacy for all good people!

You ruined so much of my time, because I searched correctly, and the Wiki didn't give me back other than the roadmap page, just as I reported above. 

I can't prove what I stated above. Due to downtime of some of my system I'm underresourced. But I did see with my own two eyes that Wiki,gentoo.org upon my first search this day for the term "grsecurity" didn't give me much, and didn't give me the sufficient resources that there still are, and which it is now giving back to me upon the exact same search of mine.

It could have been an error, but go and study my posts on Debian Forums and on Grsecurity Forums about Debian attitude toward Grsecurity and find out about "errors".... Just search for my name. Plenty ther, unless, of course, your searches are censored on Debian Forums, as well. Not on Grsecurity Forums, not that...

Due to some strong statements that I posted, I need to be back to see if any replies will be there for my answering back, but I am strapped for time, so I'll be back only in maximum of a few hours, and then I must be off.

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## TomWij

 *miroR wrote:*   

> It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,
> 
> IMO:
> 
> plain censorship
> ...

 

It is made quite visible for example in https://wiki.gentoo.org/wiki/Hardened/FAQ where you can then go to the quickstart and even find more resources at the bottom of the quickstart in https://wiki.gentoo.org/wiki/Project:Hardened/Grsecurity2_Quickstart#Resources where I think there is a lot more to read, as a wiki intends to cover those things in the context of Gentoo whilst not copying the entire upstream documentation; there's no censorship afaik (otherwise you would find it in Google Cache, way back machine, ...), but it might be the case that older versions are replaced by newer versions given that the Gentoo maintainers move towards moving the new version and deprecate and/or remove the old version.

----------

## miroR

 *TomWij wrote:*   

>  *miroR wrote:*   It was, and it is likely to be for many of especially newbies, searching for Grsecurity documentation,
> 
> IMO:
> 
> plain censorship
> ...

 

All is fine. Now.

I won't go into any more details on this.

Thanks for caring!

I might be back to report how I reinstalled Gentoo from scratch. A non-expert as me, and having been under attack, as documented (there are links above), who knows if I'll even make it at all....

But Gentoo might continue to be my favorite GNU/Linux as well, if I do make it...

Namely, the breaking into my systems that I documented in the link in my first post in this topic, above, are not all, and one of my Gentoo boxes is basically now out of use on the SOHO, only as standalone, and it's... a crippled SOHO...

But I'm digressing now, somewhat...

Pls. keep Gentoo free, privacy-viable and kind as it has been for the most of its lifetime so far!

Miroslav Rovis

Zagreb, Croatia,

www.CroatiaFidelis.hr

----------

## miroR

There is somewhat of a follow-up, as far as privacy-viable Gentoo goes, here:

Offline Install, use emerge-webrsync to check and log?

https://forums.gentoo.org/viewtopic-t-987268.html

Miroslav Rovis

Zagreb, Croatia

www.CroatiaFidelis.hr

----------

## miroR

Having today had another opportunitiy to ponder over the real ailments in FOSS

Linux, I want  to, if I may, bring this issue with the great title of "NSA SELinux Support??" to the

fore.

So that at least a few more newbies can notice this, and so that they can have

a choice.

Few people, I think (but I may see otherwise right here, don't know) are anymore willing to stand behind the NSALinux, sorry: SELinux, in public, well I hope at least few people in Gentoo...

This is what I wrote elsewhere and which I stand by:

Sadly that [actually those advanced installs, such as grsec-hardened with deployed RBAC policy rules] is advanced, regardless how grsecurity is simple to use in comparison with the NSALinux... It is sad that that is advanced. Few newbies, unless they are really bright, can arrive there easily, and that, IMO, is a shame on FOSS Linux at large... Deploying NSALinux, sorry: SELinux, on newbies... It's a shame!

I wrote that in a fractionally, or should I say marginally, related topic:

The new cronbase' issues with grsec RBAC policy

https://forums.gentoo.org/viewtopic-t-1026832.html#7799660

The thing with FOSS ([F]ree [O]pen [S]ource [S]oftware) Linux is: it is still free as bird, if we want to. It does not belong to any particular national jurisdiction by any default, in the sense that we could be blackmailed for this or that. FOSS Linux is, as Free Software, above infra-juridical and other informal governmental constraints and pressures in whichever, including the leader U.S,, state/national environment, with all our GNU-compatible licenses.

We are not like Apple or M$ to depend on a few big one-ring cravers who want to control us all, like they, Apple and M$, do, for any big paying subjects (read: states and mostly really big business, militaries and state agencies comprised)...

By definition we, the FOSS Linux loosely knit community, can be freer!

I have no more time.

EDIT 2015-08-16 23:01+02:00: So that no one would think I blame Gentoo for NSALinux, erh, SELinux, no, read more carefully what I wrote, it's: "FOSS Linux at large". Exactly Gentoo FOSS Linux is among the least "guilty" in this story, and it's been only getting cleaner.

Also see what I wrote over on Grsecurity Forums (and be aware that Gentoo is the home of FOSS Linux grsec-hardening):

Issues with and RBAC Policy for Postfix

http://forums.grsecurity.net/viewtopic.php?f=5&t=4230#p15473

EDIT END

EDIT 2015-08-17 04:28+02:00: improved the language:

s/FOSS Linux it above national jurisdiction as Free Software/FOSS Linux is, as Free Software, above infra-juridical and other informal governmental constraints and pressures in whichever, including the leader U.S,, state\/national environment/

EDIT END

----------

