init

init

[Russell Coker]

We have been having a discussion of initrd etc.  There is some great 
opposition to modifying the initrd because it's something that no-one wants 
changed much (for a variety of support reasons).  Also some systems do not 
support initrd's (EG the Sun/Cobalt Qube/RaQ hardware which has a Linux 
kernel in the BIOS which can read an Ext2/Ext3 file system and load a kernel 
- they never wrote code for loading an initrd).

An idea that came up was to modify init so that it would do the following:
1) Check if /selinux is mounted.  If yes then go to 5.
2) mount /selinux, if mount fails then go to 5.
3) Load the policy from /etc/selinux/policy.xx.  If load fails then umount
/selinux, display a message, and go to 5.
4) Exec itself to change domain from kernel_t to init_t.
5) Perform usual init functions.

This seems to work well.  I have very similar things implemented in shell 
scripts working on a Qube and on a UML virtual machine.

Steve, do you think that this is an acceptable change for a distribution?  Or 
are there some potential problems that we should consider?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] init

[Magosányi Árpád]

2003-10-07, k keltezéssel Russell Coker ezt írta:
> We have been having a discussion of initrd etc.  There is some great 
> opposition to modifying the initrd because it's something that no-one wants 

Yepyep.

> An idea that came up was to modify init so that it would do the following:
> 1) Check if /selinux is mounted.  If yes then go to 5.
> 2) mount /selinux, if mount fails then go to 5.
> 3) Load the policy from /etc/selinux/policy.xx.  If load fails then umount
> /selinux, display a message, and go to 5.
> 4) Exec itself to change domain from kernel_t to init_t.
> 5) Perform usual init functions.

Will Miquel like the idea? I hope so.

I would vote for 5 being
< 5) if policy isn't loaded and we don't have [some indication that we
do not insist on selinux], halt the system with an appropriate message.

The indication could be that there is no selinux support in the kernel,
or some boot option.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] init

[Russell Coker]

On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> I would vote for 5 being
> < 5) if policy isn't loaded and we don't have [some indication that we
> do not insist on selinux], halt the system with an appropriate message.
>
> The indication could be that there is no selinux support in the kernel,
> or some boot option.

Currently we have been working towards making a SE Linux system be usable if 
booted with a non-SE kernel.  We could have a compile option to do what you 
request, but I doubt that we want it on by default.  We certainly don't want 
it in RPMs that we ship!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] init

[Magosányi Árpád]

A levelezőm azt hiszi, hogy Russell Coker a következőeket írta:
> On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> > I would vote for 5 being
> > < 5) if policy isn't loaded and we don't have [some indication that we
> > do not insist on selinux], halt the system with an appropriate message.
> >
> > The indication could be that there is no selinux support in the kernel,
> > or some boot option.
> 
> Currently we have been working towards making a SE Linux system be usable if 
> booted with a non-SE kernel.  We could have a compile option to do what you 

This is the very reason I proposed checking selinux support in the kernel.
What you have proposed is a fail-open solution. The theoretically
correct solution would be fail-safe. A good compromise would be to
assume if theadministrator boots a non-se kernel or gives a special
boot option, then she knows what she does.

> request, but I doubt that we want it on by default.  We certainly don't want 
> it in RPMs that we ship!

Fortunately I have no RPM based systems, I am just interested in upstream.

-- 
GNU GPL: csak tiszta forrásból


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] init

[Russell Coker]

On Wed, 8 Oct 2003 16:41, Magosányi Árpád wrote:
> A levelezőm azt hiszi, hogy Russell Coker a következőeket írta:
> > On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> > > I would vote for 5 being
> > > < 5) if policy isn't loaded and we don't have [some indication that we
> > > do not insist on selinux], halt the system with an appropriate message.
> > >
> > > The indication could be that there is no selinux support in the kernel,
> > > or some boot option.
> >
> > Currently we have been working towards making a SE Linux system be usable
> > if booted with a non-SE kernel.  We could have a compile option to do
> > what you
>
> This is the very reason I proposed checking selinux support in the kernel.
> What you have proposed is a fail-open solution. The theoretically
> correct solution would be fail-safe. A good compromise would be to
> assume if theadministrator boots a non-se kernel or gives a special
> boot option, then she knows what she does.

OK, it seems that I didn't understand your initial request.  What you want is 
for a system that is designed to be running SE Linux to refuse to boot if the 
policy can not be loaded (IE the file is corrupt).  But if the kernel is a 
non-SE kernel (or has the boot option to not enable SE Linux) then it will 
continue in the non-SE manner.

This makes sense.

Steve and James, please advise me on how I should determine the difference 
between a kernel where we don't desire/support SE Linux and a kernel that 
should have SE Linux but has encountered some error.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [selinux] init

[Stephen Smalley]

On Wed, 2003-10-08 at 03:20, Russell Coker wrote:
> OK, it seems that I didn't understand your initial request.  What you want is 
> for a system that is designed to be running SE Linux to refuse to boot if the 
> policy can not be loaded (IE the file is corrupt).  But if the kernel is a 
> non-SE kernel (or has the boot option to not enable SE Linux) then it will 
> continue in the non-SE manner.
> 
> This makes sense.
> 
> Steve and James, please advise me on how I should determine the difference 
> between a kernel where we don't desire/support SE Linux and a kernel that 
> should have SE Linux but has encountered some error.

You can use the 'selinuxenabled' utility in libselinux to test in a
script whether SELinux is enabled in the kernel, but you likely want to
actually check whether SELinux is in enforcing mode, i.e. check the
value of /selinux/enforce.  Note that selinuxfs is mounted before the
policy is loaded, so you can check /selinux/enforce upon a failure to
load the policy and use this to determine whether to halt.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: init

[Stephen Smalley]

On Tue, 2003-10-07 at 11:11, Russell Coker wrote:
> We have been having a discussion of initrd etc.  There is some great 
> opposition to modifying the initrd because it's something that no-one wants 
> changed much (for a variety of support reasons).  Also some systems do not 
> support initrd's (EG the Sun/Cobalt Qube/RaQ hardware which has a Linux 
> kernel in the BIOS which can read an Ext2/Ext3 file system and load a kernel 
> - they never wrote code for loading an initrd).

While I'm willing to concede the point, I would like to note that
performing the policy load from an initrd (or initramfs) has the
advantage of allowing a security-enhanced boot loader to verify the
kernel and policy before kernel startup.

> An idea that came up was to modify init so that it would do the following:

Note that Magosanyi Arpad previously posted to the list a similar
solution that he implemented by renaming the real /sbin/init and
replacing it with a small program that exec'd a shell script to perform
the policy load and then executed the real init program.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: init

[Russell Coker]

On Fri, 10 Oct 2003 00:00, Stephen Smalley wrote:
> While I'm willing to concede the point, I would like to note that
> performing the policy load from an initrd (or initramfs) has the
> advantage of allowing a security-enhanced boot loader to verify the
> kernel and policy before kernel startup.

What verification are you referring to?  Is this something like a TCPA 
verification?

In any case, I can't imagine any verification being done that can't be done at 
least as easily from /sbin/init.

> > An idea that came up was to modify init so that it would do the
> > following:
>
> Note that Magosanyi Arpad previously posted to the list a similar
> solution that he implemented by renaming the real /sbin/init and
> replacing it with a small program that exec'd a shell script to perform
> the policy load and then executed the real init program.

I've done that before too.  However correctly handling "telinit u" (and some 
similar things that happen when you run "reboot") is a bit fiddly in a shell 
script.  I currently have a check for "if [ ! -f /selinux/load ]" in my 
script for such configurations.  Also when running bash in init_t you need 
some extra allow or dontaudit rules...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.