Re: XFS and LSM

Re: XFS and LSM

[Russell Coker]

On Thu, 13 Jun 2002 12:17, Keith Owens wrote:
> At 10:15 13-6-2002 +0200, Russell Coker wrote:
> >I wanted to build a system running the XFS file system and Linux Security
> >Modules (LSM), so I had a look at hacking the patch files to make them
> > work.
> >
> >I found one issue where the patches severely conflict, system call 1217 on
> >IA64 is sys_setxattr for XFS and is sys_security for LSM!
>
> The *attr syscall numbers are official, in both Linus and Marcelo
> kernels.  LSM is picking an arbitrary syscall number for testing so
> they will have to find another number - and change user space to match.

OK.  Shouldn't be a big issue.

> Pity Linus did not take my patch that reserves a range of syscall
> numbers for testing and provides a clean interface for determining
> which number to use.  Linus does not consider this to be a problem.

Yes, reserving a separate range for testing would be good, especially if you 
can make it work so that patches don't conflict...


BTW  XFS also changes the quota system in a serious way which breaks SE Linux 
(not LSM).

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Stephen Smalley]

On Thu, 13 Jun 2002, Russell Coker wrote:

> BTW  XFS also changes the quota system in a serious way which breaks SE Linux
> (not LSM).

The changes to the quota code have already been merged into 2.5, and the
2.5 SELinux module in BitKeeeper has already been updated for those
changes.  You can backport the quotactl hook from the 2.5 SELinux module.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Russell Coker]

On Wed, 9 Jul 2003 00:07, Ryan Emge wrote:
> ext2 and ext3 would be optimum filesystems that would not "break" SE Linux?

Stephen says that the quota changes in question are already in 2.5 kernels, 
so if you can find a 2.5.x kernel patch for XFS then it should not cause any 
difficulty (unless you use IA64).

Ext2/3 are not the only file systems that will work without problems.  
ReiserFS is working well for me, there's no reason to expect a problem with 
Minix or any other Inode based file system either.

The only problems are with file systems that lack Inodes (DOS and NFS), and 
with file systems that aren't in the kernel as applying several patches to 
the kernel is likely to result in patches not applying or a kernel that 
doesn't compile.

Anyway I have a 2.4.18 kernel running with XFS support compiled in.  When I 
quickly hacked the support in I probably broke SE support for quotas, but I 
don't care as it's not something that's important to me.  The only problem 
here is that I can't be sure that my sample policy works well for other 
people in this regard (but it would not be difficult for them to fix).

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Stephen Smalley]

On Tue, 8 Jul 2003, Ryan Emge wrote:

> ext2 and ext3 would be optimum filesystems that would not "break" SE Linux?

SELinux works fine with ext2 and ext3.  It has also been reported to work
with reiserfs, although we have not tested it ourselves.

With regard to XFS in general, see my prior message on the topic at
http://marc.theaimsgroup.com/?l=selinux&m=101300861319394&w=2.  With
regard to the quota changes, these can be easily addressed by backporting
the corresponding changes to SELinux from the 2.5 SELinux module.
Likewise, the LSM and SELinux changes related to the *xattr operations can
be backported from the 2.5 SELinux module.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Stephen Smalley]

On Thu, 13 Jun 2002, Russell Coker wrote:

> Stephen says that the quota changes in question are already in 2.5 kernels,
> so if you can find a 2.5.x kernel patch for XFS then it should not cause any
> difficulty (unless you use IA64).

I'd actually suggest backporting the quotactl and *xattr hooks from
the 2.5 LSM and SELinux to the 2.4 kernel with XFS merged.

> Ext2/3 are not the only file systems that will work without problems.
> ReiserFS is working well for me, there's no reason to expect a problem with
> Minix or any other Inode based file system either.

The SELinux kernel module only tries using a persistent label mapping if
it recognizes the filesystem type as being one of a set of known types
that are known to have persistent and unique inode numbers.  It will
currently only try to do this with ext2, ext3, and reiserfs unless you
patch the module.  We'll likely make this configurable so that you can
specify the set of legitimate filesystem types in the policy
configuration.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Russell Coker]

On Thu, 13 Jun 2002 15:28, Stephen Smalley wrote:
> On Thu, 13 Jun 2002, Russell Coker wrote:
> > Stephen says that the quota changes in question are already in 2.5
> > kernels, so if you can find a 2.5.x kernel patch for XFS then it should
> > not cause any difficulty (unless you use IA64).
>
> I'd actually suggest backporting the quotactl and *xattr hooks from
> the 2.5 LSM and SELinux to the 2.4 kernel with XFS merged.

It's probably easier that way.  Or you can just remove the few lines of code 
in question as I did.  If you don't need SE functionality on quotas that's an 
OK interim solution.

> > Ext2/3 are not the only file systems that will work without problems.
> > ReiserFS is working well for me, there's no reason to expect a problem
> > with Minix or any other Inode based file system either.
>
> The SELinux kernel module only tries using a persistent label mapping if
> it recognizes the filesystem type as being one of a set of known types
> that are known to have persistent and unique inode numbers.  It will
> currently only try to do this with ext2, ext3, and reiserfs unless you
> patch the module.  We'll likely make this configurable so that you can
> specify the set of legitimate filesystem types in the policy
> configuration.

Having it configurable would be good, but in the mean time it's not difficult 
to patch hooks.c .

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Ryan Emge]

So,

ext2 and ext3 would be optimum filesystems that would not "break" SE Linux?

- Ryan

-- 

Ryan O. Emge

Information Assurance & Security
Norwich University - http://www.norwich.edu
158 Harmon Drive
Northfield, VT 05663

An NSA "Center of Academic Excellence in Information Assurance"

E: emger@norwich.edu

On Thu, 13 Jun 2002 12:47:31 +0200
Russell Coker <russell@coker.com.au> wrote:

> On Thu, 13 Jun 2002 12:17, Keith Owens wrote:
> > At 10:15 13-6-2002 +0200, Russell Coker wrote:
> > >I wanted to build a system running the XFS file system and Linux Security
> > >Modules (LSM), so I had a look at hacking the patch files to make them
> > > work.
> > >
> > >I found one issue where the patches severely conflict, system call 1217 on
> > >IA64 is sys_setxattr for XFS and is sys_security for LSM!
> >
> > The *attr syscall numbers are official, in both Linus and Marcelo
> > kernels.  LSM is picking an arbitrary syscall number for testing so
> > they will have to find another number - and change user space to match.
> 
> OK.  Shouldn't be a big issue.
> 
> > Pity Linus did not take my patch that reserves a range of syscall
> > numbers for testing and provides a clean interface for determining
> > which number to use.  Linus does not consider this to be a problem.
> 
> Yes, reserving a separate range for testing would be good, especially if you 
> can make it work so that patches don't conflict...
> 
> 
> BTW  XFS also changes the quota system in a serious way which breaks SE Linux 
> (not LSM).
> 
> -- 
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my address in the
> From field.
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and LSM

[Russell Coker]

On Thu, 13 Jun 2002 16:58, richard offer wrote:
> * frm russell@coker.com.au "06/13/02 10:15:08 +0200" | sed '1,$s/^/* /'
> *
> * I wanted to build a system running the XFS file system and Linux Security
> * Modules (LSM), so I had a look at hacking the patch files to make them
> * work.
> *
> * I found one issue where the patches severely conflict, system call 1217
> * on  IA64 is sys_setxattr for XFS and is sys_security for LSM!
> *
> * One of the projects has to change the system call.
>
> The official IA64 syscall number for sys_security will be 1233, as assigned
> by David Mosberger on May 28 in response to an email I sent him.

OK, could we have another release incorporating the correct number in the 
near future?

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.