Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Matt Jezorek <mjezorek_at_usa.net>
subject: Re: [Re: selinux included in new distro]
Date: 22 Jun 2001 14:41:31 EDT
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: [Re: selinux included in new distro]"
  • Previous message: Stephen Smalley: "Re: selinux included in new distro"
  • Next in thread: Stephen Smalley: "Re: [Re: selinux included in new distro]"
  • Reply: Stephen Smalley: "Re: [Re: selinux included in new distro]"


Thank you for all the information. I wanted to make sure that there were no underlying peices involved that might have been Questionable GPL plus I like contacting the development team/creators to make sure that there is no objection or anything to watch out for.

Matt Jezorek
mjezorek@usa.net
http://bluelinux.sourceforge.net

P.S. anyone successfully patched selinux with XFS?

Stephen Smalley <sds@tislabs.com> wrote:
>
> On 22 Jun 2001, Matt Jezorek wrote:
>
> > Basics under current selinux licensing i can use selinux as the
> > base for a new distro correct provided I leave the copyright and
info
> > and supply source (naturally) of any changes and so on...Is this
> > statement correct?
>
> You are free to use SELinux as part of a Linux distribution under
> the same conditions as any other GPL'd software. All of the
SELinux
> software is licensed under the GPL, including both the patches to
> existing GPL'd software (obviously and necessarily) and the newly
> developed components.
>
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
>
>
>
>

Matt Jezorek
P.O. Box 1436
Hillsborough, NC 27278
 919-643-2801

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: [Re: selinux included in new distro]
Date: Fri, 22 Jun 2001 16:15:23 -0400 (EDT)
  • This message: [ Message body ]
  • Next message: Darrell McGuire: "SELinux with acl.bestbits.at ext2fs patch"
  • Previous message: Matt Jezorek: "Re: [Re: selinux included in new distro]"
  • In reply to: Matt Jezorek: "Re: [Re: selinux included in new distro]"
  • Next in thread: Darrell McGuire: "SELinux with acl.bestbits.at ext2fs patch"
  • Reply: Darrell McGuire: "SELinux with acl.bestbits.at ext2fs patch"

On 22 Jun 2001, Matt Jezorek wrote:

> P.S. anyone successfully patched selinux with XFS?

The SELinux kernel patch only provides file labeling support for ext2 file systems. To use the SELinux kernel patch with XFS (or any other file system type other than ext2), you would need to implement support for binding persistent security identifiers (PSIDs) to files in that file system type. Otherwise, your files won't be labeled with security information. With ext2, we used a spare field in the on-disk inode to store the PSID - see our changes to the files under slinux/kernel-2.4/fs/ext2. Using a spare field in the existing on-disk inode avoids the need to maintain a separate on-disk mapping between inodes and PSIDs. With XFS, you would probably implement equivalent support using extended attributes. Our expectation was that the persistent label mapping would ultimately be replaced by extended attributes if/when extended attributes become part of the mainstream Linux kernel.

The new LSM-based SELinux loadable kernel module uses a different approach than the SELinux kernel patch since LSM does not provide us with access to the on-disk inode. It maintains a separate on-disk mapping between inodes and PSIDs, costing us in performance but providing more general support for a variety of file systems. We also used this same approach in the predecessor of SELinux, the Flask prototype. This support could also be integrated into the SELinux kernel patch. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Darrell McGuire <dmcguire_at_pegasys.cc>
subject: SELinux with acl.bestbits.at ext2fs patch
Date: Sat, 23 Jun 2001 09:45:21 -0700
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: SELinux with acl.bestbits.at ext2fs patch"
  • Previous message: Stephen Smalley: "Re: [Re: selinux included in new distro]"
  • In reply to: Stephen Smalley: "Re: [Re: selinux included in new distro]"
  • Next in thread: Stephen Smalley: "Re: SELinux with acl.bestbits.at ext2fs patch"
  • Reply: Stephen Smalley: "Re: SELinux with acl.bestbits.at ext2fs patch"


Have any of you attempted a dual patch of both the POSIX ACL patch from Andreas Gruenbacher (acl.bestbits.at) and SELinux?

Second question, as a follow up, does the dev. team for SELinux few this technology as a way to help harden a firewall, or as more of a general purpose OS security tool?

Thank you for your time,

   Darrell McGuire 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: SELinux with acl.bestbits.at ext2fs patch
Date: Mon, 25 Jun 2001 10:54:41 -0400 (EDT)
  • This message: [ Message body ]
  • Next message: Pranav Saha: "New to Linux - Need help"
  • Previous message: Darrell McGuire: "SELinux with acl.bestbits.at ext2fs patch"
  • In reply to: Darrell McGuire: "SELinux with acl.bestbits.at ext2fs patch"

On Sat, 23 Jun 2001, Darrell McGuire wrote:

> Have any of you attempted a dual patch of both the POSIX ACL patch
> from Andreas Gruenbacher (acl.bestbits.at) and SELinux?

We have not. SELinux currently provides its own support for binding security attributes to files. If support for extended attributes were integrated into the mainstream kernel, then we would naturally investigate using that support instead.

> Second question, as a follow up, does the dev. team for SELinux
> few this technology as a way to help harden a firewall, or as more
> of a general purpose OS security tool?

You can configure the SELinux access controls to meet a variety of needs. So you can use SELinux to harden a firewall or a web/mail/DNS server. You can also use SELinux on client systems to protect users against malicious code. However, it will naturally be easier to configure the security policy for firewalls and dedicated server systems than for client systems. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:53 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security