porting to 2.4?

porting to 2.4?

[Steven King]

Is anyone already working on this?  I've been looking at it and it seems like 
it should be fairly straight forward...
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: porting to 2.4?

[Stephen Smalley]

On Wed, 27 Dec 2000, Steven King wrote:

> Is anyone already working on this?  I've been looking at it and it seems like 
> it should be fairly straight forward...

We haven't started a port to the 2.4 kernel yet, other than
some preliminary analysis of the differences between 2.2 and
2.4 by a relatively new member of the NSA SELinux team.  His 
assessment was that a port could be quite involved due to the extent
of changes between 2.2 and 2.4, but I'm not sure how significant
those changes are for our modifications.  In addition to porting
our existing changes, we would want to address new features in the
2.4 kernel.  Since we have a small development team, we have to
carefully balance between porting what we have to newer kernel versions
and doing further security development.  If you are interested in
assisting in a port to the 2.4 kernel, let us know.  

--
Stephen D. Smalley, NAI Labs
sds@tislabs.com




You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: porting to 2.4?

[Frank Stratton]

I'm new to this list.  My first Linux version was Kernel 0.99 PL113 and have
not done much hacking for a few years.  I'm just getting back into it and
setting up a couple of test platforms.  I've worked on B1 and B2 operating
systems so I have some feeling for secure systems.  I will help in any way
that I can.  I can write in C but have not done so in a few years.  I can
run system tests since I currently test firewalls and VPNs. I have a lab
here that I can set up any way you wish.  Let me know.

Frank Stratton

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
Behalf Of Stephen Smalley
Sent: Friday, December 29, 2000 10:15 AM
To: selinux
Subject: Re: porting to 2.4?



On Wed, 27 Dec 2000, Steven King wrote:

> Is anyone already working on this?  I've been looking at it and it seems
like
> it should be fairly straight forward...

We haven't started a port to the 2.4 kernel yet, other than
some preliminary analysis of the differences between 2.2 and
2.4 by a relatively new member of the NSA SELinux team.  His
assessment was that a port could be quite involved due to the extent
of changes between 2.2 and 2.4, but I'm not sure how significant
those changes are for our modifications.  In addition to porting
our existing changes, we would want to address new features in the
2.4 kernel.  Since we have a small development team, we have to
carefully balance between porting what we have to newer kernel versions
and doing further security development.  If you are interested in
assisting in a port to the 2.4 kernel, let us know.

--
Stephen D. Smalley, NAI Labs
sds@tislabs.com




You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: porting to 2.4?

[Johnathon Day]

On Fri, 29 Dec 2000, Stephen Smalley wrote:
> We haven't started a port to the 2.4 kernel yet, other than
> some preliminary analysis of the differences between 2.2 and
> 2.4 by a relatively new member of the NSA SELinux team.  His 
> assessment was that a port could be quite involved due to the extent
> of changes between 2.2 and 2.4, but I'm not sure how significant
> those changes are for our modifications.  In addition to porting
> our existing changes, we would want to address new features in the
> 2.4 kernel.  Since we have a small development team, we have to
> carefully balance between porting what we have to newer kernel versions
> and doing further security development.  If you are interested in
> assisting in a port to the 2.4 kernel, let us know.  

I'm playing around with 2.4, so can help some with the port.

I'd have thought that the port should be -relatively- unaffected by the
changes, as it's (by design) orthogonal to other related features.

Therefore, the changes -should- be limited to only those components that
call the API of the rest of the kernel. (Side-effects should be minimal to
non-existant, so the problem should be confined to one of interface
changes.)

The first step in solving a problem is to define its scope as narrowly as
possible and no narrower. But all this is "obvious" stuff, and nothing
new to any programmer. It's only purpose is to offer a slightly less
intimidating perspective on the 2.2se->2.4se port.

On a different note, will the SELinux project use its own IPSec
implementation, or collaborate with FreeS/WAN? Also, will any encryption
code be able to use the International Patches as plug-ins? (It would seem
stupid if everyone on the planet plugged in their own 3DES patch into the
kernel. We only need one copy of any algorithm, but at the moment, we have
algorithms in mcrypt/mhash, the international patches, ENSkip, FreeS/WAN,
and a partridge in a pear tree.)

Jonathan


You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: porting to 2.4?

[Stephen Smalley]

On Mon, 1 Jan 2001, Johnathon Day wrote:

> On a different note, will the SELinux project use its own IPSec
> implementation, or collaborate with FreeS/WAN? Also, will any encryption
> code be able to use the International Patches as plug-ins? (It would seem
> stupid if everyone on the planet plugged in their own 3DES patch into the
> kernel. We only need one copy of any algorithm, but at the moment, we have
> algorithms in mcrypt/mhash, the international patches, ENSkip, FreeS/WAN,
> and a partridge in a pear tree.)

The plan is to integrate an existing IPSEC implementation with
the network mandatory access controls in a similar fashion to
the work done in the Flask research prototype.  That work
is described briefly in Appendix A.2 of the paper "The Flask Security
Architecture:  System Support for Diverse Security Policies"
and at greater length in the master's thesis "Implementing
Mandatory Network Security in a Policy-Flexible System" on
the Flask web page.  

--
Stephen D. Smalley, NAI Labs
sds@tislabs.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: porting to 2.4?

[Stephen Smalley]

We have started work on porting to the 2.4 kernel.  The new 
operating system components added by the Flask architecture
(the security server and the access vector cache) have been ported.
The support for labeling processes and file-related objects
has also been ported.  The port of process and file-related 
mandatory access controls is underway, as is the port of the
network-related labeling.  So far, the port has been relatively
straightforward.

If you have reviewed the design and implementation of the Flask 
security changes for the 2.2 kernel and have any constructive
suggestions (or even improved implementations) for future versions, let us
know. Likewise, if you have experimented with using the system and have
any constructive suggestions, let us know.

If you want to tackle some aspect of the port, whether porting
existing code, improving the implementation of some existing code,
designing and implementing similar controls for some aspect of the kernel
that we haven't covered (especially new features in the 2.4 kernel
like devfs), then let us know.

--
Stephen D. Smalley, NAI Labs
sds@tislabs.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.