SE Linux loading procedure.

SE Linux loading procedure.

[Oren Abe-P27525]

Hi there...

Do you (or anybody) have a flow chart(s)
describe the SE Linux loading sequence.

Something like step-by-step of the main
modules and procedures that loads into the
memory during the boot process ?

Thanks in advance.

Abe Oren
Principal Engineer
General Dynamics
Decision Systems
(480)675-2575

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Linux loading procedure.

[Stephen Smalley]

On Fri, 21 Jun 2002, Oren Abe-P27525 wrote:

> Do you (or anybody) have a flow chart(s)
> describe the SE Linux loading sequence.
>
> Something like step-by-step of the main
> modules and procedures that loads into the
> memory during the boot process ?

I'm not aware of any such flow chart for SELinux.  But keep in mind that
the SELinux kernel is merely a modified form of the Linux kernel
(Linux+the LSM kernel patch+the SELinux kernel module).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Linux loading procedure.

[david kelman]

1. for debian and rpm-based distros that use apt
such as conectiva:
a) su
b)add the url of nsa's download page to
your apt source list

c)#apt-get install selinux
2. for rpm based distros without apt,
your going to recompile the kernel ( i think,
but get other advice, i use deb.) mandy and 
RH users pls correct me if im wrong.
-- 
Get your free email from www.linuxmail.org 


Powered by Outblaze

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Linux loading procedure.

[Russell Coker]

On Mon, 24 Jun 2002 09:45, Stephen Smalley wrote:
> On Fri, 21 Jun 2002, Oren Abe-P27525 wrote:
> > Do you (or anybody) have a flow chart(s)
> > describe the SE Linux loading sequence.
> >
> > Something like step-by-step of the main
> > modules and procedures that loads into the
> > memory during the boot process ?
>
> I'm not aware of any such flow chart for SELinux.  But keep in mind that
> the SELinux kernel is merely a modified form of the Linux kernel
> (Linux+the LSM kernel patch+the SELinux kernel module).

I think that perhaps they want a list of the differences between SE Linux and 
a regular Linux kernel.

Basically as part of the proceedure of mounting the root file system or doing 
a pivot_root() operation the new policy file is loaded from 
/etc/security/selinux/ .

After that is loaded if it's the first load of a SE policy then it'll apply 
SIDs to kernel threads etc.

After that is done then the PSID mappings for the file system are 
re-evaluated to avoid the initrd problems (in the latest patches anyway).

Then when the kernel runs init it's subject to the regular 
domain_auto_trans() rules and things go in a normal fashion from there.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Linux loading procedure.

[Russell Coker]

On Tue, 25 Jun 2002 21:43, david kelman wrote:
> 1. for debian and rpm-based distros that use apt
> such as conectiva:
> a) su
> b)add the url of nsa's download page to
> your apt source list

The NSA do not distribute Debian packages or RPM packages and are unlikely to 
ever do so.  I will be strongly encouraging them not to distribute Debian 
packages.

> c)#apt-get install selinux
> 2. for rpm based distros without apt,
> your going to recompile the kernel ( i think,
> but get other advice, i use deb.) mandy and
> RH users pls correct me if im wrong.

No.  See http://www.coker.com.au/selinux/ for Debian install docs and 
packages.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SE Linux loading procedure.

[Ed Street]

Hello,

My reply maybe a bit off topic but I do agree that they should NOT
distribute binaries.  The biggest reason is after talking with numerous
people about the Selinux project I hear words like "backdoor" "spy ware"
"unknown holes so they can get in" "hidden code" and blah blah blah.  I
feel that any binary distribution would further kindle these fires.

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Wednesday, June 26, 2002 10:02 AM
To: david kelman; sds@tislabs.com; Abe.Oren@gd-decisionsystems.com
Cc: selinux@tycho.nsa.gov
Subject: Re: SE Linux loading procedure.

On Tue, 25 Jun 2002 21:43, david kelman wrote:
> 1. for debian and rpm-based distros that use apt
> such as conectiva:
> a) su
> b)add the url of nsa's download page to
> your apt source list

The NSA do not distribute Debian packages or RPM packages and are
unlikely to 
ever do so.  I will be strongly encouraging them not to distribute
Debian 
packages.

> c)#apt-get install selinux
> 2. for rpm based distros without apt,
> your going to recompile the kernel ( i think,
> but get other advice, i use deb.) mandy and
> RH users pls correct me if im wrong.

No.  See http://www.coker.com.au/selinux/ for Debian install docs and 
packages.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SE Linux loading procedure.

[Oren Abe-P27525]

Ed,

Basically what I've asked for is NOT binary codes,
nor any .C files that reveal internals etc. but
simple flow-chart (of events) which explain the major
modules that load into memory during the BOOT time.
i.e. sequence of events (check, mount, load etc.)
Something like the LILO displays while executing itself
when initializing the computer.

Sorry for the confusion.
Hope it's more clear now.

Thanks for your time/response.

Abe Oren
Principal Engineer,
General Dynamics
Decision Systems (ex Motorola IISG)
(480)675-2575



-----Original Message-----
From: Ed Street [mailto:blacknet@simplyaquatics.com]
Sent: Wednesday, June 26, 2002 9:54 AM
To: 'Russell Coker'; 'david kelman'; sds@tislabs.com; Oren Abe-P27525
Cc: selinux@tycho.nsa.gov
Subject: RE: SE Linux loading procedure.


Hello,

My reply maybe a bit off topic but I do agree that they should NOT
distribute binaries.  The biggest reason is after talking with numerous
people about the Selinux project I hear words like "backdoor" "spy ware"
"unknown holes so they can get in" "hidden code" and blah blah blah.  I
feel that any binary distribution would further kindle these fires.

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of Russell Coker
Sent: Wednesday, June 26, 2002 10:02 AM
To: david kelman; sds@tislabs.com; Abe.Oren@gd-decisionsystems.com
Cc: selinux@tycho.nsa.gov
Subject: Re: SE Linux loading procedure.

On Tue, 25 Jun 2002 21:43, david kelman wrote:
> 1. for debian and rpm-based distros that use apt
> such as conectiva:
> a) su
> b)add the url of nsa's download page to
> your apt source list

The NSA do not distribute Debian packages or RPM packages and are
unlikely to 
ever do so.  I will be strongly encouraging them not to distribute
Debian 
packages.

> c)#apt-get install selinux
> 2. for rpm based distros without apt,
> your going to recompile the kernel ( i think,
> but get other advice, i use deb.) mandy and
> RH users pls correct me if im wrong.

No.  See http://www.coker.com.au/selinux/ for Debian install docs and 
packages.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SE Linux loading procedure.

[Russell Coker]

On Wed, 26 Jun 2002 12:35, you wrote:
> > The NSA do not distribute Debian packages or RPM packages and are
> > unlikely
>
> to
>
> > ever do so.  I will be strongly encouraging them not to distribute Debian
> > packages.
>
> I've only been reading this list for about a month so I hope you don't mind
> me asking you this directly to avoid getting flamed over what may/may not
> be a previously well covered bone of contention:

I don't think that's any risk so I'll answer on the list.

> Why do you think that the NSA should not package SELinux? - Would they not
> have an interest in updating them on a regular basis or is something else?

If an NSA employee signs up to become a Debian developer and convinces me 
that they can do a better job of packaging it for Debian than I do then I 
would be prepared to transfer ownership.  However given legal issues that 
limit their ability to make fast new releases I think that is unlikely.  Also 
with the way the Debian community operates, even having an FBI employee as a 
developer would be regarded as controversial...  So I think that the NSA 
would not want their employees as Debian developers as it would result in 
controversy and possible bad PR.

So given that I will keep maintaining the official Debian packages, why would 
the NSA want to ship any Debian packages?  That would just result in 
confusion and it would be better for everyone if they didn't do so.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.