First the good news. Last week I gave a presentation about secure operating
systems, running the slides on Staroffice 6.0 beta on SELinux 20011016. It ran
smoothly like a humming bee. Great! It shows that this stuff is usable on a
laptop.
This said, I would like to re-raise the importance of non-ext2 file system support, notably ReiserFS. It has been pointed out before, by Stephen Smalley, that this should in principle be easy to integrate (the per-node sec context needs to be stored in a file rather than in an unused field of the on-disk inode structure). However, I am not aware of anyone tackling this implementation.
Now, if someone could give me a few hints of where the additional code goes, I would like to volunteer some of my spare brain cycles to tackle this problem. ReiserFS support on SELinux would certainly not only make my day.
Regards
Harald
Tel: +41 1 908 9230 Sun Microsystems (Schweiz) AG Fax: +41 1 908 9001 Javastr. 2 Mobile: +41 79 349 0393 CH-8604 Volketswilmailto:harald.von-fellenberg@sun.com
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy Office wrote:
> This said, I would like to re-raise the importance of non-ext2 file system
> support, notably ReiserFS. It has been pointed out before, by Stephen Smalley,
> that this should in principle be easy to integrate (the per-node sec context
> needs to be stored in a file rather than in an unused field of the on-disk inode
> structure). However, I am not aware of anyone tackling this implementation.
Only the original SELinux prototype was limited to the ext2 filesystem, due to the use of a spare field in the on-disk ext2 inode to store the persistent security identifier (PSID). When we transitioned to LSM, we extended the persistent label mapping to maintain the inode-to-PSID mapping as a regular file because LSM does not provide filesystem-specific hooks. Hence, the LSM-based SELinux prototype should be able to use ReiserFS, although we haven't tried it.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy Office <Harald.Von-Fellenberg_at_sun.com>
IT WORKS ON REISERFS!!!
Why did you not tell me before ... :-)
I will now invest my brain cycles on making the utils compile under Suse 7.x
Thanks and regards
Harald
PS here my patch :-)
relabel: $(FILECONTEXTS) setfiles
./setfiles $(FILECONTEXTS) `mount | awk '/ext2/{print $$3}'`
+ ./setfiles $(FILECONTEXTS) `mount | awk '/reiserfs/{print $$3}'`
touch relabel
install: relabel
>
>On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich -
Technology Strategy Office wrote:
>
>> This said, I would like to re-raise the importance of non-ext2 file system
>> support, notably ReiserFS. It has been pointed out before, by Stephen
Smalley,
>> that this should in principle be easy to integrate (the per-node sec context
>> needs to be stored in a file rather than in an unused field of the on-disk
inode
>> structure). However, I am not aware of anyone tackling this implementation.
>
>Only the original SELinux prototype was limited to the ext2 filesystem,
>due to the use of a spare field in the on-disk ext2 inode to store the
>persistent security identifier (PSID). When we transitioned to LSM, we
>extended the persistent label mapping to maintain the inode-to-PSID
>mapping as a regular file because LSM does not provide filesystem-specific
>hooks. Hence, the LSM-based SELinux prototype should be able to use
>ReiserFS, although we haven't tried it.
>
>--
>Stephen D. Smalley, NAI Labs
>ssmalley@nai.com
>
>
>
>
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
Tel: +41 1 908 9230 Sun Microsystems (Schweiz) AG Fax: +41 1 908 9001 Javastr. 2 Mobile: +41 79 349 0393 CH-8604 Volketswilmailto:harald.von-fellenberg@sun.com
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Mon, 19 Nov 2001, Harald von Fellenberg wrote:
> IT WORKS ON REISERFS!!!
Good, glad to hear it.
> I will now invest my brain cycles on making the utils compile under Suse 7.x
James Bishop has worked on porting the modified utilities to SuSE 7.2, so you should refer to his prior postings in the mailing list archives at http://marc.theaimsgroup.com/?l=selinux.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Hans Reiser <reiser_at_namesys.com>
Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy
Office wrote:
>IT WORKS ON REISERFS!!!
>
>Why did you not tell me before ... :-)
>I will now invest my brain cycles on making the utils compile under Suse 7.x
>
>Thanks and regards
>
>Harald
>PS here my patch :-)
>
>--- setfiles/Makefile.orig Wed Jul 18 22:38:11 2001
>+++ setfiles/Makefile Mon Nov 19 16:19:18 2001
>@@ -9,6 +9,7 @@
>
> relabel: $(FILECONTEXTS) setfiles
> ./setfiles $(FILECONTEXTS) `mount | awk '/ext2/{print $$3}'`
>+ ./setfiles $(FILECONTEXTS) `mount | awk '/reiserfs/{print $$3}'`
> touch relabel
>
> install: relabel
>
>>On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich -
>>
>Technology Strategy Office wrote:
>
>>>This said, I would like to re-raise the importance of non-ext2 file system
>>>support, notably ReiserFS. It has been pointed out before, by Stephen
>>>
>Smalley,
>
>>>that this should in principle be easy to integrate (the per-node sec context
>>>needs to be stored in a file rather than in an unused field of the on-disk
>>>
>inode
>
>>>structure). However, I am not aware of anyone tackling this implementation.
>>>
>>Only the original SELinux prototype was limited to the ext2 filesystem,
>>due to the use of a spare field in the on-disk ext2 inode to store the
>>persistent security identifier (PSID). When we transitioned to LSM, we
>>extended the persistent label mapping to maintain the inode-to-PSID
>>mapping as a regular file because LSM does not provide filesystem-specific
>>hooks. Hence, the LSM-based SELinux prototype should be able to use
>>ReiserFS, although we haven't tried it.
>>
>>--
>>Stephen D. Smalley, NAI Labs
>>ssmalley@nai.com
>>
>>
>>
>>
>>
>>--
>>You have received this message because you are subscribed to the selinux list.
>>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>the words "unsubscribe selinux" without quotes as the message.
>>
>
>**********************************************************
> Dr. Harald von Fellenberg
> Chief Technologist Global Sales Organisation
> Tel: +41 1 908 9230 Sun Microsystems (Schweiz) AG
> Fax: +41 1 908 9001 Javastr. 2
> Mobile: +41 79 349 0393 CH-8604 Volketswil
> mailto:harald.von-fellenberg@sun.com
>**********************************************************
>
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>
Please let me know if you need anything from the reiserfs team to assist
you in integrating SE Linux and reiserfs. Also, if you are interested
in producing anything that might go into our faq, or as a patch on our
download page, let me know.
If anyone involved in SE Linux is interested in working with us, let me encourage you to view www.namesys.com/v4/v4.html, and feel free to ask us to add new features that make your work easier.
Hans
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: jeff burson <olmy_at_thistledown.org>
Hello,
I've recently installed selinux on my rh7.1 system using the full lsm-selinux-200110161355 tarball (opt.1). I'm playing around with it, learning the system, exploring, etc.
First, my congratulations and gratitude to those who have put this together: a VERY impressive system (and one of the best documented installs of an open-source OS security system I've run across).
A problem I've run into is regarding IPv6. At lsm kernel compile time, I compiled for IPv6 support and having it successfully running. The interface is listening on an assigned IPv6 address and is pingable from another IPv6 device. However, the selinux install of OpenSSH does not appear to be listening on the IPv6 address (it is listening on the IPv4 address).
I have not run into this problem with manual builds (or rpms) of regular openssh recently, so am trying to figure out what's wrong.
here's the relevant output from configure:
struct sockaddr_in6... (cached) yes
checking for struct in6_addr... (cached) yes
checking for ut_addr_v6 field in utmp.h... (cached) yes
checking for ut_addr_v6 field in utmpx.h... (cached) yes
checking if we need to convert IPv4 in IPv6-mapped addresses... yes
(default)
Use IPv4 by default hack: no
Translate v4 in v6 hack: yes
Any ideas or suggestions?
jeff
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Fri, 23 Nov 2001, jeff burson wrote:
> A problem I've run into is regarding IPv6. At lsm kernel compile
> time, I compiled for IPv6 support and having it successfully
> running. The interface is listening on an assigned IPv6
> address and is pingable from another IPv6 device. However,
> the selinux install of OpenSSH does not appear to be listening
> on the IPv6 address (it is listening on the IPv4 address).
>
> I have not run into this problem with manual builds (or rpms)
> of regular openssh recently, so am trying to figure out what's
> wrong.
The SELinux modifications to sshd shouldn't affect the use of IPv6. Does the pure openssh-2.9p2 SRPM for RH7.1 work for you? Did you get any log messages in /var/log/messages when sshd started?
As a side note, LSM doesn't yet provide any hooks in the IPv6 code, just in the IPv4 code, so some of the SELinux network access controls won't be enforced if you are using IPv6.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT