how usable is selinux in lsm-2.5?

how usable is selinux in lsm-2.5?

[Andreas Schuldei]

I notice with satisfaction that lsm-2.5 with selinux configured
in compiles fine here.

what is missing from it to be usable? Or which parts are there
and what can one do with them?

will the 2.4 userspace which russel and brian ship in debian
packages work on this kernel? I understand that the proc
interface changed. are there patches for userspace allready?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how usable is selinux in lsm-2.5?

[Russell Coker]

On Thu, 19 Jun 2003 07:27, Andreas Schuldei wrote:
> I notice with satisfaction that lsm-2.5 with selinux configured
> in compiles fine here.
>
> what is missing from it to be usable? Or which parts are there
> and what can one do with them?
>
> will the 2.4 userspace which russel and brian ship in debian
> packages work on this kernel? I understand that the proc
> interface changed. are there patches for userspace allready?

The packages that Brian and I provide will not work with the new xattr based 
interface in 2.5.x.  To get it working you need to compile your own versions 
of login, cron, and other patched programs with support for this.

At some future time Brian and I will work on this, but if you would like to 
start maintaining some packages for 2.5.x support then that would be would 
help us.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how usable is selinux in lsm-2.5?

[Stephen Smalley]

On Wed, 2003-06-18 at 17:27, Andreas Schuldei wrote:
> I notice with satisfaction that lsm-2.5 with selinux configured
> in compiles fine here.

Are you referring to the lsm-2.5 BitKeeper tree from either
lsm.bkbits.net or lsm.immunix.org?  I did replace the SELinux module in
that tree with the new 2.5 SELinux, although the LSM patch in that tree
still includes various hooks that are not in mainline.  You might want
to wait until we make an updated public release of the mainline
2.5-based SELinux and use it.

> what is missing from it to be usable? Or which parts are there
> and what can one do with them?

It doesn't include the networking access controls, since those controls
need to be reimplemented using only features provided by the mainline
kernel (vs. the rejected networking fields and hooks).  It also is more
limited in its support for filesystems due to the transition to xattr
and the elimination of unsafe inode-to-path translation; if you want to
use something other than ext[23] on disk or if you want to use devfs,
you'll need to implement an xattr handler in the filesystem or some
technique for labeling it in the SELinux module.

> will the 2.4 userspace which russel and brian ship in debian
> packages work on this kernel? I understand that the proc
> interface changed. are there patches for userspace allready?

No, the SELinux API has been massively overhauled.  You can fetch
snapshots of the new userland components from
http://www.nsa.gov/selinux/lk, but it might be easier for you to wait
for an updated public release on the main download page.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: how usable is selinux in lsm-2.5?

[Andreas Schuldei]

* Stephen Smalley (sds@epoch.ncsc.mil) [030619 14:33]:
> On Wed, 2003-06-18 at 17:27, Andreas Schuldei wrote:
> > I notice with satisfaction that lsm-2.5 with selinux configured
> > in compiles fine here.
> 
> Are you referring to the lsm-2.5 BitKeeper tree from either
> lsm.bkbits.net or lsm.immunix.org?  I did replace the SELinux module in
> that tree with the new 2.5 SELinux, although the LSM patch in that tree
> still includes various hooks that are not in mainline.  You might want
> to wait until we make an updated public release of the mainline
> 2.5-based SELinux and use it.

when do you expect to release that?

> http://www.nsa.gov/selinux/lk, but it might be easier for you to wait
> for an updated public release on the main download page.

would that be the same date then above?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.