All of lore.kernel.org
 help / color / mirror / Atom feed
From: Russell Coker <russell@coker.com.au>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: init patch for loading policy
Date: Tue, 21 Oct 2003 10:52:28 +1000	[thread overview]
Message-ID: <200310211052.28494.russell@coker.com.au> (raw)
In-Reply-To: <1066672941.22196.259.camel@moss-spartans.epoch.ncsc.mil>

On Tue, 21 Oct 2003 04:02, Stephen Smalley wrote:
> > I've attached a patch for /sbin/init to load the policy and set enforcing
> > mode.
>
> Would it be cleaner to just do this via a script run from
> /etc/rc.d/rc.sysinit?  It seems a bit ugly to patch this directly into
> /sbin/init.  The script could perform a 'telinit u' after loading the
> policy to trigger the domain transition for the init process, and would
> simply return immediately upon the second invocation when it detected
> that selinuxfs was already mounted.

Firstly we would need to test that init will actually respond correctly to 
"telinit u" while it's in that stage.  This is something I am concerned 
about, particularly regarding race conditions regarding the completion of 
rc.sysinit (although I guess it's unlikely that rc.sysinit will complete 
before init restarts).

Then there's the issue that rc.sysinit has to get the correct context, so we 
probably need domain_auto_trans(kernel_t, initrc_exec_t, initrc_t).

> > 4)  Check /proc/filesystems for selinuxfs entry, if it's not there then
> > we aren't running an SE Linux kernel so go to FINISH.  If it's there then
> > we have a serious error condition so go to ERR (I forgot to close a file
> > handle, not that it matters much - I'll fix it later).
>
> This should be indicated by the return code / error message when you try
> to mount selinuxfs.
>
> > 6)  Set enforcing mode, if error then go to ERR.
>
> This will always fail on a kernel that was built with
> CONFIG_SECURITY_SELINUX_DEVELOP=n, as /selinux/enforce will not define a
> write operation in that case.  Also, it would require booting with an
> alternate init program in order to boot permissive.  There doesn't seem
> to be any reason to do this, as you can specify enforcing=1 on the
> kernel command line or enable it via rc.sysinit if desired.

OK.  I'll write a new version of the patch to address these issues.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  parent reply	other threads:[~2003-10-21  0:52 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-19 15:48 init patch for loading policy Russell Coker
2003-10-20  8:21 ` Carsten Grohmann
2003-10-20 18:02 ` Stephen Smalley
2003-10-20 20:10   ` Daniel J Walsh
2003-10-20 20:46     ` Stephen Smalley
2003-10-20 20:56       ` Daniel J Walsh
2003-10-21 12:19         ` Stephen Smalley
2003-10-21  0:52   ` Russell Coker [this message]
2003-10-21 12:29     ` Stephen Smalley
2003-10-21 14:43       ` Russell Coker
2003-10-21 14:59         ` Stephen Smalley
2003-10-21 16:00           ` Russell Coker
2003-10-21 18:38             ` Daniel J Walsh
2003-10-21 20:14             ` Bastian Blank
2003-10-21 17:50           ` Daniel J Walsh
2003-10-22 22:31             ` Joubert Berger
2003-10-23  1:42               ` Russell Coker
2003-10-21 18:07           ` Daniel J Walsh
2003-10-21 18:54             ` Stephen Smalley
2003-10-21 19:56               ` Stephen Smalley
2003-10-21 12:32     ` Stephen Smalley
2003-10-21 13:56       ` Russell Coker
2003-10-20 20:47 ` Bastian Blank
2003-10-21  0:57   ` Russell Coker
2003-10-21  6:26     ` Bastian Blank

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200310211052.28494.russell@coker.com.au \
    --to=russell@coker.com.au \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.