SELinux port for 2.4.28 (and incoming backport from 2.6) released.

SELinux port for 2.4.28 (and incoming backport from 2.6) released.

[Lorenzo Hernandez Garcia-Hierro]

[-- Attachment #1: Type: text/plain, Size: 1948 bytes --]

Hi,

I was wondering for a backport of SELinux patch for the 2.4 brand, and
i've observed that there's just a patch, deprecated, for 2.4.26.

As the first move for trying to backport the current 2.6 patch
capabilities i've ported the old 2.4.26 patch to 2.4.28, without huge
problems and just fixing some errors with proc fs stuff and others.

I've not tested it yet, but hopefully works.

I want to know if someone is interested in doing this, as the main
reasons are that 2.4 kernels are used by many people, possibly more than
the ones using revisions from the 2.6 brand, and also that we can offer
the possibility of using the SELinux enhancements without changing the
kernel.In addition, if you compare 2.6 revisions changelogs with 2.4
ones you can see that many things change between releases, and not in
2.4 that are only security related and critical or major enhancements.

The gzip'ed patch can be found at:
https://sourceforge.net/project/showfiles.php?group_id=118309&package_id=137453

Joshua was telling me that many things changed in the 2.6 releases, and
that many things are deprecated or obsolete in the old 2.4.26 patch, so,
i will appreciate any help for backporting them and giving support for
those new capabilities.

I'm CC'ing the LKML because this could be of interest for the kernel
hackers, in an hypothetical case of including a backported and updated
version of SELinux patch in the 2.4 brand.

Cheers and enjoy,
PS: I'm not an experienced developer in C terms, i just do what i can do
and often i get obsessed when i can't get something done, so, i think
that equilibrates the balance of knowledge<->attitudes (it's not easy to
fit all of this in time when you're just fifteen years old, but i can't
excuse unexpected kernel panics :) ).   
-- 
Lorenzo Hernández García-Hierro [1024D/6F2B2DEC]
Hardened Debian head developer & project manager.
http://www.debian-hardened.org 

[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux port for 2.4.28 (and incoming backport from 2.6) released.

[Stephen Smalley]

On Sat, 2004-12-04 at 15:38, Lorenzo Hernandez Garcia-Hierro wrote:
> I've not tested it yet, but hopefully works.

For that kernel, you'll have to pass the -c 15 option to checkpolicy to
tell it to build a version 15 policy, as the 2.4-based SELinux doesn't
support newer policy versions.  Specifically, the 2.4-based SELinux was
never updated for the conditional policy support (policy booleans), ipv6
support, and fine-grained netlink classes.  See
http://marc.theaimsgroup.com/?l=selinux&m=107643944721568&w=2.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux port for 2.4.28 (and incoming backport from 2.6) released.

[Lorenzo Hernandez Garcia-Hierro]

[-- Attachment #1: Type: text/plain, Size: 1166 bytes --]

Hi Stephen,

El lun, 06-12-2004 a las 09:21 -0500, Stephen Smalley escribió:
> On Sat, 2004-12-04 at 15:38, Lorenzo Hernandez Garcia-Hierro wrote:
> > I've not tested it yet, but hopefully works.
> 
> For that kernel, you'll have to pass the -c 15 option to checkpolicy to
> tell it to build a version 15 policy, as the 2.4-based SELinux doesn't
> support newer policy versions.  Specifically, the 2.4-based SELinux was
> never updated for the conditional policy support (policy booleans), ipv6
> support, and fine-grained netlink classes.  See
> http://marc.theaimsgroup.com/?l=selinux&m=107643944721568&w=2.

Yes, the conditional policy (v16) could be ported to it, as i have the
diff of the first release (2.6) that came with it, anyway, other stuff
could be hard to backport.

It would be great to have somewhere a SCM to see real diffs and the
evolution of the 2.6 brand, and the old 2.4 one, to compare what things
need to be backported and how to do it.

I will take a look in it later.

Cheers,
-- 
Lorenzo Hernández García-Hierro [1024D/6F2B2DEC]
Hardened Debian head developer & project manager.
http://www.debian-hardened.org 

[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux port for 2.4.28 (and incoming backport from 2.6) released.

[Stephen Smalley]

On Mon, 2004-12-06 at 10:20, Lorenzo Hernandez Garcia-Hierro wrote:
> Yes, the conditional policy (v16) could be ported to it, as i have the
> diff of the first release (2.6) that came with it, anyway, other stuff
> could be hard to backport.
> 
> It would be great to have somewhere a SCM to see real diffs and the
> evolution of the 2.6 brand, and the old 2.4 one, to compare what things
> need to be backported and how to do it.

Hmm...well, there is Linus' BitKeeper tree, and there is the CVS tree
under the sourceforge selinux project.

I'd expect that you could easily back port the latest security server
code (security/selinux/ss/*), as it is not tightly coupled to the core
kernel.  That would let you use the latest policy version even if the
hook function code isn't making full use of it (although the
fine-grained netlink classes might cause you some pain until you get
that support back ported into the hook functions, which shouldn't be
difficult).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.