>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Updated release

From: Howard Holm <hdholm_at_epoch.ncsc.mil>
Date: Tue, 20 Nov 2001 09:10:39 -0500 (EST)

The SELinux web site <http://www.nsa.gov/selinux/> including the mail list archive has been updated. The site includes a new release of the LSM-based SELinux prototype. This release is based on the lsm-2001_11_05 patch against kernel 2.4.14. It fixes a number of bugs, cleans up some code, and is based on newer versions of the kernel and utilities.

The following changes should be carefully noted if you have previously installed SELinux:

LSM has renamed all LSM-related configuration options to use a CONFIG_SECURITY prefix, and we have done likewise for the SELinux kernel option. This means that old .config files aren't quite right anymore. You can still use them, but you'll need to explicitly enable the LSM-related (IP Networking hooks, Capabilities) and SELinux options again when you configure (unless you hand edit your old .config file to reflect the name changes).
A small change was made to the policydb format, so you need to rebuild checkpolicy and recompile your policy with the updated checkpolicy program. Also, if you have customized your policy, you need to at least pick up a new initial SID definition (sysctl_net_unix) in the initial_sid_contexts file.
The execve_secure system call has been reimplemented via the general security system call. Previously, this system call remained as a separate entrypoint due to the inability to access register state (needed by execve) from the general security system call, but this was undesireable because only the security call is reserved in the mainstream kernel. We found that we could reimplement the execve_secure call via the security call by replacing the LSM security call entrypoint function with our own architecture-specific entrypoint function that can support both execve_secure and all of our other calls. So you must recompile libsecure and relink all applications that use exec.*_secure against it (runas, newrole, crond, run_init, sshd, login, Mark Westerman's modified gdm). This will be a nuisance for current users, but ensures that you should never have to do so again, since the security syscall is reserved, unlike the old separate entrypoint for execve_secure.

--

Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 20 Nov 2001 - 09:36:41 EST

This message: [ Message body ]
Next message: Stephen Smalley: "[PATCH] Bug fix for selinux_inode_delete hook"
Previous message: Stephen Smalley: "Re: SELinux and non-ext[23] file systems"
Next in thread: Grant Bayley: "Re: Updated release"
Reply: Grant Bayley: "Re: Updated release"
Maybe reply: Howard Holm: "Re: Updated release"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT