* init
@ 2003-10-07 15:11 Russell Coker
2003-10-07 20:27 ` [selinux] init Magosányi Árpád
2003-10-09 14:00 ` init Stephen Smalley
0 siblings, 2 replies; 8+ messages in thread
From: Russell Coker @ 2003-10-07 15:11 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux
We have been having a discussion of initrd etc. There is some great
opposition to modifying the initrd because it's something that no-one wants
changed much (for a variety of support reasons). Also some systems do not
support initrd's (EG the Sun/Cobalt Qube/RaQ hardware which has a Linux
kernel in the BIOS which can read an Ext2/Ext3 file system and load a kernel
- they never wrote code for loading an initrd).
An idea that came up was to modify init so that it would do the following:
1) Check if /selinux is mounted. If yes then go to 5.
2) mount /selinux, if mount fails then go to 5.
3) Load the policy from /etc/selinux/policy.xx. If load fails then umount
/selinux, display a message, and go to 5.
4) Exec itself to change domain from kernel_t to init_t.
5) Perform usual init functions.
This seems to work well. I have very similar things implemented in shell
scripts working on a Qube and on a UML virtual machine.
Steve, do you think that this is an acceptable change for a distribution? Or
are there some potential problems that we should consider?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [selinux] init
2003-10-07 15:11 init Russell Coker
@ 2003-10-07 20:27 ` Magosányi Árpád
2003-10-08 4:24 ` Russell Coker
2003-10-09 14:00 ` init Stephen Smalley
1 sibling, 1 reply; 8+ messages in thread
From: Magosányi Árpád @ 2003-10-07 20:27 UTC (permalink / raw)
To: russell; +Cc: Stephen Smalley, SE Linux
2003-10-07, k keltezéssel Russell Coker ezt írta:
> We have been having a discussion of initrd etc. There is some great
> opposition to modifying the initrd because it's something that no-one wants
Yepyep.
> An idea that came up was to modify init so that it would do the following:
> 1) Check if /selinux is mounted. If yes then go to 5.
> 2) mount /selinux, if mount fails then go to 5.
> 3) Load the policy from /etc/selinux/policy.xx. If load fails then umount
> /selinux, display a message, and go to 5.
> 4) Exec itself to change domain from kernel_t to init_t.
> 5) Perform usual init functions.
Will Miquel like the idea? I hope so.
I would vote for 5 being
< 5) if policy isn't loaded and we don't have [some indication that we
do not insist on selinux], halt the system with an appropriate message.
The indication could be that there is no selinux support in the kernel,
or some boot option.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [selinux] init
2003-10-07 20:27 ` [selinux] init Magosányi Árpád
@ 2003-10-08 4:24 ` Russell Coker
2003-10-08 6:41 ` Magosányi Árpád
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2003-10-08 4:24 UTC (permalink / raw)
To: Magosányi Árpád; +Cc: Stephen Smalley, SE Linux
On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> I would vote for 5 being
> < 5) if policy isn't loaded and we don't have [some indication that we
> do not insist on selinux], halt the system with an appropriate message.
>
> The indication could be that there is no selinux support in the kernel,
> or some boot option.
Currently we have been working towards making a SE Linux system be usable if
booted with a non-SE kernel. We could have a compile option to do what you
request, but I doubt that we want it on by default. We certainly don't want
it in RPMs that we ship!
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [selinux] init
2003-10-08 4:24 ` Russell Coker
@ 2003-10-08 6:41 ` Magosányi Árpád
2003-10-08 7:20 ` Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Magosányi Árpád @ 2003-10-08 6:41 UTC (permalink / raw)
To: Russell Coker; +Cc: Stephen Smalley, SE Linux
A levelezőm azt hiszi, hogy Russell Coker a következőeket írta:
> On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> > I would vote for 5 being
> > < 5) if policy isn't loaded and we don't have [some indication that we
> > do not insist on selinux], halt the system with an appropriate message.
> >
> > The indication could be that there is no selinux support in the kernel,
> > or some boot option.
>
> Currently we have been working towards making a SE Linux system be usable if
> booted with a non-SE kernel. We could have a compile option to do what you
This is the very reason I proposed checking selinux support in the kernel.
What you have proposed is a fail-open solution. The theoretically
correct solution would be fail-safe. A good compromise would be to
assume if theadministrator boots a non-se kernel or gives a special
boot option, then she knows what she does.
> request, but I doubt that we want it on by default. We certainly don't want
> it in RPMs that we ship!
Fortunately I have no RPM based systems, I am just interested in upstream.
--
GNU GPL: csak tiszta forrásból
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [selinux] init
2003-10-08 6:41 ` Magosányi Árpád
@ 2003-10-08 7:20 ` Russell Coker
2003-10-08 12:37 ` Stephen Smalley
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2003-10-08 7:20 UTC (permalink / raw)
To: Magosányi Árpád; +Cc: Stephen Smalley, SE Linux, James Morris
On Wed, 8 Oct 2003 16:41, Magosányi Árpád wrote:
> A levelezőm azt hiszi, hogy Russell Coker a következőeket írta:
> > On Wed, 8 Oct 2003 06:27, Magosányi Árpád wrote:
> > > I would vote for 5 being
> > > < 5) if policy isn't loaded and we don't have [some indication that we
> > > do not insist on selinux], halt the system with an appropriate message.
> > >
> > > The indication could be that there is no selinux support in the kernel,
> > > or some boot option.
> >
> > Currently we have been working towards making a SE Linux system be usable
> > if booted with a non-SE kernel. We could have a compile option to do
> > what you
>
> This is the very reason I proposed checking selinux support in the kernel.
> What you have proposed is a fail-open solution. The theoretically
> correct solution would be fail-safe. A good compromise would be to
> assume if theadministrator boots a non-se kernel or gives a special
> boot option, then she knows what she does.
OK, it seems that I didn't understand your initial request. What you want is
for a system that is designed to be running SE Linux to refuse to boot if the
policy can not be loaded (IE the file is corrupt). But if the kernel is a
non-SE kernel (or has the boot option to not enable SE Linux) then it will
continue in the non-SE manner.
This makes sense.
Steve and James, please advise me on how I should determine the difference
between a kernel where we don't desire/support SE Linux and a kernel that
should have SE Linux but has encountered some error.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [selinux] init
2003-10-08 7:20 ` Russell Coker
@ 2003-10-08 12:37 ` Stephen Smalley
0 siblings, 0 replies; 8+ messages in thread
From: Stephen Smalley @ 2003-10-08 12:37 UTC (permalink / raw)
To: Russell Coker; +Cc: Magosányi Árpád, SE Linux, James Morris
On Wed, 2003-10-08 at 03:20, Russell Coker wrote:
> OK, it seems that I didn't understand your initial request. What you want is
> for a system that is designed to be running SE Linux to refuse to boot if the
> policy can not be loaded (IE the file is corrupt). But if the kernel is a
> non-SE kernel (or has the boot option to not enable SE Linux) then it will
> continue in the non-SE manner.
>
> This makes sense.
>
> Steve and James, please advise me on how I should determine the difference
> between a kernel where we don't desire/support SE Linux and a kernel that
> should have SE Linux but has encountered some error.
You can use the 'selinuxenabled' utility in libselinux to test in a
script whether SELinux is enabled in the kernel, but you likely want to
actually check whether SELinux is in enforcing mode, i.e. check the
value of /selinux/enforce. Note that selinuxfs is mounted before the
policy is loaded, so you can check /selinux/enforce upon a failure to
load the policy and use this to determine whether to halt.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: init
2003-10-07 15:11 init Russell Coker
2003-10-07 20:27 ` [selinux] init Magosányi Árpád
@ 2003-10-09 14:00 ` Stephen Smalley
2003-10-10 5:53 ` init Russell Coker
1 sibling, 1 reply; 8+ messages in thread
From: Stephen Smalley @ 2003-10-09 14:00 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Tue, 2003-10-07 at 11:11, Russell Coker wrote:
> We have been having a discussion of initrd etc. There is some great
> opposition to modifying the initrd because it's something that no-one wants
> changed much (for a variety of support reasons). Also some systems do not
> support initrd's (EG the Sun/Cobalt Qube/RaQ hardware which has a Linux
> kernel in the BIOS which can read an Ext2/Ext3 file system and load a kernel
> - they never wrote code for loading an initrd).
While I'm willing to concede the point, I would like to note that
performing the policy load from an initrd (or initramfs) has the
advantage of allowing a security-enhanced boot loader to verify the
kernel and policy before kernel startup.
> An idea that came up was to modify init so that it would do the following:
Note that Magosanyi Arpad previously posted to the list a similar
solution that he implemented by renaming the real /sbin/init and
replacing it with a small program that exec'd a shell script to perform
the policy load and then executed the real init program.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: init
2003-10-09 14:00 ` init Stephen Smalley
@ 2003-10-10 5:53 ` Russell Coker
0 siblings, 0 replies; 8+ messages in thread
From: Russell Coker @ 2003-10-10 5:53 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux
On Fri, 10 Oct 2003 00:00, Stephen Smalley wrote:
> While I'm willing to concede the point, I would like to note that
> performing the policy load from an initrd (or initramfs) has the
> advantage of allowing a security-enhanced boot loader to verify the
> kernel and policy before kernel startup.
What verification are you referring to? Is this something like a TCPA
verification?
In any case, I can't imagine any verification being done that can't be done at
least as easily from /sbin/init.
> > An idea that came up was to modify init so that it would do the
> > following:
>
> Note that Magosanyi Arpad previously posted to the list a similar
> solution that he implemented by renaming the real /sbin/init and
> replacing it with a small program that exec'd a shell script to perform
> the policy load and then executed the real init program.
I've done that before too. However correctly handling "telinit u" (and some
similar things that happen when you run "reboot") is a bit fiddly in a shell
script. I currently have a check for "if [ ! -f /selinux/load ]" in my
script for such configurations. Also when running bash in init_t you need
some extra allow or dontaudit rules...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-10-10 5:53 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-07 15:11 init Russell Coker
2003-10-07 20:27 ` [selinux] init Magosányi Árpád
2003-10-08 4:24 ` Russell Coker
2003-10-08 6:41 ` Magosányi Árpád
2003-10-08 7:20 ` Russell Coker
2003-10-08 12:37 ` Stephen Smalley
2003-10-09 14:00 ` init Stephen Smalley
2003-10-10 5:53 ` init Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.