Advice on bringing up SE Linux

Advice on bringing up SE Linux

[Villalovos, John L]

I am trying to bring up SE Linux on an Intel Xscale processor.  An
IQ80310 to be specific.

We are using a 2.6.5 kernel, since it is the last one to support the
IQ80310 :(

We have compiled up a kernel with SE Linux.  Mounted the selinuxfs on
/selinux.

Now I am trying to figure out how to enable SE Linux.  All the utilities
say the SE Linux is disabled.

When I do:

[iq80310]# cat /proc/self/attr/current
Kernel

And I think I should get something like:
[fc3]# cat /proc/self/attr/current
root:system_r:unconfined_t

I have tried compiling up a policy.15 file and then just cat >
/selinux/load

But that doesn't seem to change anything.

Any help would be greatly appreciated :)

Thanks,
John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Advice on bringing up SE Linux

[Stephen Smalley]

On Tue, 2005-02-01 at 13:51, Villalovos, John L wrote:
> I am trying to bring up SE Linux on an Intel Xscale processor.  An
> IQ80310 to be specific.
> 
> We are using a 2.6.5 kernel, since it is the last one to support the
> IQ80310 :(
> 
> We have compiled up a kernel with SE Linux.  Mounted the selinuxfs on
> /selinux.
> 
> Now I am trying to figure out how to enable SE Linux.  All the utilities
> say the SE Linux is disabled.
> 
> When I do:
> 
> [iq80310]# cat /proc/self/attr/current
> Kernel
> 
> And I think I should get something like:
> [fc3]# cat /proc/self/attr/current
> root:system_r:unconfined_t
> 
> I have tried compiling up a policy.15 file and then just cat >
> /selinux/load
> 
> But that doesn't seem to change anything.
> 
> Any help would be greatly appreciated :)

Any output in /var/log/messages from the attempt to write the policy to
/selinux/load?  Any difference if you run load_policy on the binary
policy instead of directly cat'ing it?

A lot has changed in SELinux since 2.6.5, so you really need to move to
a newer kernel if you want to seriously use it.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Advice on bringing up SE Linux

[Stephen Smalley]

On Tue, 2005-02-01 at 14:00, Stephen Smalley wrote:
> Any output in /var/log/messages from the attempt to write the policy to
> /selinux/load?  Any difference if you run load_policy on the binary
> policy instead of directly cat'ing it?

Actually, cat is quite likely to fail, as it likely tries to read and
write the file in chunks, whereas the kernel wants the entire policy
pushed in a single transaction.  load_policy is what you want.

/sbin/init is what normally loads the policy during startup.  Are you
using the modified /sbin/init (included in Fedora)?  What is in your
/etc/selinux/config?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Advice on bringing up SE Linux

[Villalovos, John L]

Stephen Smalley wrote:
> Any output in /var/log/messages from the attempt to write the policy
> to /selinux/load?  Any difference if you run load_policy on the binary
> policy instead of directly cat'ing it?
> 
> A lot has changed in SELinux since 2.6.5, so you really need
> to move to
> a newer kernel if you want to seriously use it.

Thanks.  We will be moving to a different development board shortly so
hopefully we will be able to move to the latest kernel.

I will work on trying to get load_policy compiled up for what we have
going and see if I can get it to work that way.

Thanks again,
John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Advice on bringing up SE Linux

[Villalovos, John L]

Stephen Smalley wrote:
> Actually, cat is quite likely to fail, as it likely tries to read and
> write the file in chunks, whereas the kernel wants the entire policy
> pushed in a single transaction.  load_policy is what you want.
> 
> /sbin/init is what normally loads the policy during startup.  Are you
> using the modified /sbin/init (included in Fedora)?  What is in your
> /etc/selinux/config?

Okay.  We are using Busybox for the init.  So it does not have the SE
Linux stuff in it.

I will try to get load_policy compiled for Xscale and give it a shot.

Thanks,
John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Advice on bringing up SE Linux

[Stephen Smalley]

On Tue, 2005-02-01 at 15:50, Villalovos, John L wrote:
> I will work on trying to get load_policy compiled up for what we have
> going and see if I can get it to work that way.

Note that you don't need the full load_policy logic to just perform a
basic load, especially given that you are using a pre-boolean policy
version.  You should be able to strip load_policy down to just opening
the policy file, mmap'ing it, and calling security_load_policy from
libselinux (or if you don't want to build libselinux, you could just
handcode load_policy to open /selinux/load and write the mmap'd policy
file to it).  The boolean support in the current load_policy isn't
critical, and is completely irrelevant for a version 15 policy.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Advice on bringing up SE Linux

[Russell Coker]

On Wednesday 02 February 2005 06:24, Stephen Smalley <sds@epoch.ncsc.mil> 
wrote:
> On Tue, 2005-02-01 at 14:00, Stephen Smalley wrote:
> > Any output in /var/log/messages from the attempt to write the policy to
> > /selinux/load?  Any difference if you run load_policy on the binary
> > policy instead of directly cat'ing it?
>
> Actually, cat is quite likely to fail, as it likely tries to read and
> write the file in chunks, whereas the kernel wants the entire policy
> pushed in a single transaction.  load_policy is what you want.

In fact cat is almost guaranteed to fail.  cat from coreutils will stat the 
read and write files to check the IO block size.  On 2.6.10 /selinux/load 
reports a 4096 byte IO block size which should cause cat to fail.  Maybe if 
the kernel code was modified to return an insanely large value (larger than 
we expect a policy to be) then cat would work.  I am not sure that this is 
desirable though.

Using dd with a block size larger than the policy size should work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Advice on bringing up SE Linux

[Russell Coker]

On Wednesday 02 February 2005 07:51, "Villalovos, John L" 
<john.l.villalovos@intel.com> wrote:
> > /sbin/init is what normally loads the policy during startup.  Are you
> > using the modified /sbin/init (included in Fedora)?  What is in your
> > /etc/selinux/config?
>
> Okay.  We are using Busybox for the init.  So it does not have the SE
> Linux stuff in it.

The upstream developer of busybox was accepting of SE Linux patches, I had 
some SE Linux patches in the busybox CVS at one time (not sure if they are 
still there).  If I get a bit of spare time I'll do some more work on Busybox 
SE Linux support, it's good to have for recovery purposes and I think I've 
still got some patches hanging around that I never got sorted out properly 
for release.

Also you may want to check out the paper I presented at OLS on getting SE 
Linux running on iPaQ's, the stuff about wrapping busybox etc will probably 
be of interest to you.

If you get the JFFS2 support written I'll be very interested, I have a couple 
of iPaQ's I want to get running SE Linux again.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Advice on bringing up SE Linux

[Lorenzo Hernández García-Hierro]

[-- Attachment #1: Type: text/plain, Size: 2156 bytes --]

El jue, 03-02-2005 a las 18:20 +1100, Russell Coker escribió:
> On Wednesday 02 February 2005 07:51, "Villalovos, John L" 
> <john.l.villalovos@intel.com> wrote:
> > > /sbin/init is what normally loads the policy during startup.  Are you
> > > using the modified /sbin/init (included in Fedora)?  What is in your
> > > /etc/selinux/config?
> >
> > Okay.  We are using Busybox for the init.  So it does not have the SE
> > Linux stuff in it.
> 
> The upstream developer of busybox was accepting of SE Linux patches, I had 
> some SE Linux patches in the busybox CVS at one time (not sure if they are 
> still there).  If I get a bit of spare time I'll do some more work on Busybox 
> SE Linux support, it's good to have for recovery purposes and I think I've 
> still got some patches hanging around that I never got sorted out properly 
> for release.
> 
> Also you may want to check out the paper I presented at OLS on getting SE 
> Linux running on iPaQ's, the stuff about wrapping busybox etc will probably 
> be of interest to you.
> 
> If you get the JFFS2 support written I'll be very interested, I have a couple 
> of iPaQ's I want to get running SE Linux again.

I've been studying the code from both mtd and Linux-2.6 sources of
JFFS2	.
Also talked with some people from the Gentoo project that could help
with it.
We can try to bring up a work module on the SELinux CVS and start doing
something there.

AFAIK, and from the conversations I had with one of the Hardened Gentoo
guys (solar), xattr takes an additional 32bytes or 1 block which makes
it an overhead that needs to be studied, and noticeable on devices with
*limited* storage capacity, such as iPAQs.

Anyways, I would like to discuss this with some kernel hackers before
getting into the job.
The best start is having such device for testing, and I don't own an
iPAQ, also using machine emulators is pretty a crap solution, in my
opinion.
(I have no experience working with ARM, so, sure I'm forgetting
something)

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Advice on bringing up SE Linux

[Villalovos, John L]

Russell Coker wrote:
> The upstream developer of busybox was accepting of SE Linux patches,
> I had some SE Linux patches in the busybox CVS at one time (not sure
> if they are still there).  If I get a bit of spare time I'll do some
> more work on Busybox SE Linux support, it's good to have for recovery
> purposes and I think I've still got some patches hanging around that
> I never got sorted out properly for release.
> 
> Also you may want to check out the paper I presented at OLS on
> getting SE Linux running on iPaQ's, the stuff about wrapping busybox
> etc will probably be of interest to you.
> 
> If you get the JFFS2 support written I'll be very interested, I have
> a couple of iPaQ's I want to get running SE Linux again.

At the moment Busybox does not compile with SE Linux enabled.  It am
guessing that is using the old 2.4 API stuff.  It is looking for an
include file which is no longer there in the new SE Linux code.

We will see on the JFFS2 stuff.  At the moment we haven't made a
commitment for that.  We still have more investigation to do to see if
it is necessary.

John


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.