Updated release

Updated release

[Pete Loscocco]

An updated release of Security-enhanced Linux that corrects some of the
minor problems in the original release has been posted on the NSA web
site (www.nsa.gov/selinux).

Changes include:

- moving the numbers of the new system calls to avoid conflicts
- fixing the buffer overflow problem discovered in the
  find_default_type function in libsecure
- removed extra ';' in policy grammar
- minor adjustments in kernel/flask/Makefile

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

An updated release of Security-enhanced Linux has been posted on the
NSA web site (www.nsa.gov/selinux).

Changes include:

- Updated information on the developers' mailing list and archives was
  made available.
- Answers to Frequently Asked Questions were added to the site. 
- Kernel patches are now provided for 2.4.2 and 2.2.18. 
  - The 2.4.2 patch includes changes to virtualize the persistent SID
    mapping interfaces and the file mandatory access controls.
  - The 2.2.18 patch includes several bug fixes to the old 2.2-based
    patch. It also includes a new implementation of System V IPC
    mandatory access controls. These controls have not yet been ported to
    the 2.4 kernel.
  - Both the 2.2.18 and 2.4.2 patches incorporate a change in the
    implementation of the new system calls that is not backward
    compatible with the old implementation. Hence, the updated libsecure
    must be compiled and all modified utilities must be relinked against it.
- The util-linux patch is now provided for the util-linux-2.10s sources
  from kernel.org.
- The procps patch is now provided for the procps-010114 sources from
  http://www.cs.uml.edu/~acahalan/procps.
- The vixie-cron patch is now provided for the vixie-cron-3.0.1-61
  sources from RedHat.
- A small fix was made to the spasswd wrapper program to ensure that it
  is not mistakenly used by an administrator to try to change another
  user's password. A README was added to explain the purpose of this
  program.
- The shadow password file is no longer moved by the installation
  scripts, and the modified versions of libpwdb, sulogin, and the shadow
  utilities are no longer provided. The relocation of the shadow password
  file was creating compatibility problems with a number of applications
  despite the updatedlibpwdb. A different approach for maintaining a
  separate security context on the shadow password file will be
  implemented in the future.
- The modified versions of rshd and wu-ftpd were removed from the
  distribution and each of these daemons were limited to their initial
  domain in the example policy configuration.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

The Australian mirror of this information that I've been keeping is now
updated with the new release, the updated documentation and any new
information in the supplementary pages.  It's available via HTTP and FTP
at the following URLs:

	ftp://ftp.wiretapped.net/wd2a/security/operating-systems/selinux/
	http://the.wiretapped.net/security/operating-systems/selinux/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-IT Manager @ FNL Communications       (www.fnl.com.au)
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Fri, 16 Mar 2001, Howard Holm wrote:

> An updated release of Security-enhanced Linux has been posted on the
> NSA web site (www.nsa.gov/selinux).
>

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The NSA web site (www.nsa.gov/selinux) for Security-enhanced Linux was
updated Friday.

Changes include:

- Documentation now includes the slides used by Pete Loscocco at the
  Linux 2.5 Kernel Summit.
- The mailing list archives are more current
- Kernel patches are now provided for kernel versions 2.2.19 and 2.4.3

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The NSA SELinux web site (http://www.nsa.gov/selinux/) has been updated.
It includes a completely new variant of the SELinux prototype
based on the Linux Security Modules (LSM) work.  This patches for the
LSM-based prototype are based on the Linux 2.4.9 kernel, and the patches
for the utilities are known to work with Red Hat Linux 7.1.

Additional web site updates include additional papers and presentations,
and the long awaited updating of the SELinux hyper-mail mail list archives.
Remember, current archives are always available via e-mail (see
http://www.nsa.gov/selinux/list.html) even when the hyper-mail archives are
out of date.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Group
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The SELinux web site including the mail list archive has been updated.
The site includes a new release of the LSM-based SELinux prototype.
This release contains many bug fixes and improvements to both LSM and
SELinux and is based on the lsm-2001_09_23 patch against kernel 2.4.10.
The release includes new and reworked hooks to control additional
operations.

The policy now includes hwclock_t and ping_t domains for hwclock and
ping (from David Wheeler,) an ipsec_t domain for the FreeSWAN IKE
daemon and programs (from Mark Westerman,) and an httpd_t domain
for Apache (from MITRE.)  None of these has been extensively tested
by the NSA SELinux team, and they may require some additional work.
Note that we have not yet included any FreeSWAN or Apache components
in the material distributed with SELinux.

We have chosen not to release patches to our previous patches.  You will
need a complete set of patches or the complete (already patched) source
code.  We believe that the patches to patches were not being utilized
enough to justify the work to create them.  If you would rather apply
updates as patches to our previous patches, please notify me directly
at the address below so we can gauge the interest.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Hi everyone,

And the mirror at Wiretapped in Australia is now updated as well (the
NSA site has been a bit slow today...):

	http://the.wiretapped.net/security/operating-systems/selinux/
	ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

The layout should be fairly obvious...

Hope this helps,

Grant

On Thu, 27 Sep 2001, Howard Holm wrote:

> The SELinux web site including the mail list archive has been updated.
> The site includes a new release of the LSM-based SELinux prototype.
> This release contains many bug fixes and improvements to both LSM and
> SELinux and is based on the lsm-2001_09_23 patch against kernel 2.4.10.
> The release includes new and reworked hooks to control additional
> operations.

 [snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Conan Callen]

I checked the changes file didn't find anything to indicate any changes in
the area below. I wanted to double check and see if anyone had some
pointers.

When the updated kernel is built can the existing policy be used?

Is it nessessary to rebuild the policy dir, setfiles, relable, etc. If so, can
the previous config files & te files be copied in or have any file formats
changed?

Conan Callen
Windowpane




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Stephen Smalley]

On Sat, 29 Sep 2001, Conan Callen wrote:

> I checked the changes file didn't find anything to indicate any changes in
> the area below. I wanted to double check and see if anyone had some
> pointers.

The selinux/ChangeLog file has a summary of the changes to LSM and
SELinux since the last release.

> When the updated kernel is built can the existing policy be used?
> 
> Is it nessessary to rebuild the policy dir, setfiles, relable, etc. If so, can
> the previous config files & te files be copied in or have any file formats
> changed?

I would generally recommend doing a full installation, following the
instructions in README as before.  You don't need to do step 8 unless you
were running the non-LSM SELinux prototype.  There have been changes to
the policy and setfiles/file_contexts configuration since the last
release.  If you made customizations to your policy and  
setfiles/file_contexts, then you should check whether the same 
customizations are still needed, since we may have merged them into the 
example policy.  We try to merge policy customizations into the example
policy when people contribute them back to us as long as they are
reasonable.  The configuration languages haven't changed, other than
the addition of the policy/devfs_contexts file for devfs file labeling.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release contains bug fixes and
additional policy domains and permissions.  The capability module may
now be stacked with SELinux.  The base for SELinux has been updated to
the lsm-2001_10_11 patch against kernel 2.4.12.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Stephen Smalley]

A few additional notes about this release:

1) A new run_init utility program and domain have been created to allow
administrators to run the init scripts with the appropriate security
context (e.g. to restart daemons) in a secure manner.  This was requested
by several SELinux users.  See the updated README, utils/run_init, and
utils/appconfig/initrc_context.

2) Step 4 of the updated README discusses the issues in running X on
SELinux, whether via startx after an ordinary login or via an X display
manager like xdm, gdm, or kdm.  You must uncomment certain allow
statements in the policy to grant the X server the necessary permissions,
as explained in the README.  Mark Westerman's gdm policy has been merged
into the example policy in order to ensure that it is consistent and kept
up-to-date with the rest of the policy, but you will need to obtain his
modified gdm program separately if you want to use gdm on SELinux.

3) Download Options 4 and 5 were revised in response to the feedback from
the Debian packagers.  The SELinux kernel module is provided as a patch
against the LSM kernel patch (which is identical to the lsm-2001_10_11
patch against 2.4.12 from lsm.immunix.org) rather than being part of the
archive.  The module Makefiles have been revised to ensure that the
architecture-specific symbolic links are generated during the normal
'make dep'.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com










--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[J]

On Wed, 2001-10-17 at 08:05, Stephen Smalley wrote:
> 
> A few additional notes about this release:
> 
> 1) A new run_init utility program and domain have been created to allow
> administrators to run the init scripts with the appropriate security
> context (e.g. to restart daemons) in a secure manner.  This was requested
> by several SELinux users.  See the updated README, utils/run_init, and
> utils/appconfig/initrc_context.

If you are not using PAM it didn't compile so I just moved 
#define CONTEXT_FILE .....
out of the ifdef PAM block. in run_init.c  FYI.

Also newrole.c line 412 almost certanly has an error

I changed
if ( !authenticate_via_shadow_passwd(d p_passwd_line) ) {
to
if ( !authenticate_via_shadow_passwd(p_passwd_line) ) {

Also, I have integrated this with a Slackware 8.0 filewall
that is re-exporting nfs filesystems to samba for windows clients.
It is also running dhcp. I have created iptables, dhcpd, and samba
domains. I also had to change a huge amount of file_contexts. It is
working fine as a production server. I am very pleased with selinux.

J


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release is based on the
lsm-2001_11_05 patch against kernel 2.4.14.  It fixes a number of bugs,
cleans up some code, and is based on newer versions of the kernel and
utilities.

The following changes should be carefully noted if you have previously
installed SELinux:

1) LSM has renamed all LSM-related configuration options to use a
CONFIG_SECURITY prefix, and we have done likewise for the SELinux
kernel option.  This means that old .config files aren't quite right
anymore.  You can still use them, but you'll need to explicitly enable
the LSM-related (IP Networking hooks, Capabilities) and SELinux options
again when you configure (unless you hand edit your old .config file to
reflect the name changes).

2) A small change was made to the policydb format, so you need to
rebuild checkpolicy and recompile your policy with the updated
checkpolicy program.  Also, if you have customized your policy, you
need to at least pick up a new initial SID definition (sysctl_net_unix)
in the initial_sid_contexts file.

3) The execve_secure system call has been reimplemented via the general
security system call.  Previously, this system call remained as a
separate entrypoint due to the inability to access register state
(needed by execve) from the general security system call, but this was
undesireable because only the security call is reserved in the
mainstream kernel.  We found that we could reimplement the
execve_secure call via the security call by replacing the LSM security
call entrypoint function with our own architecture-specific entrypoint
function that can support both execve_secure and all of our other
calls.  So you must recompile libsecure and relink all applications
that use exec.*_secure against it (runas, newrole, crond, run_init,
sshd, login, Mark Westerman's modified gdm).  This will be a nuisance
for current users, but ensures that you should never have to do so
again, since the security syscall is reserved, unlike the old separate
entrypoint for execve_secure.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Australian SELinux mirror now updated:

	http://the.wiretapped.net/security/operating-systems/selinux/

(in the LSM-based prototype, we're mirroring the all-in-one tarball and
the two-parts tarballs (no need to mirror the patches separately.  Also
documentation mirror has been updated as well.)

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Tue, 20 Nov 2001, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  This release is based on the
> lsm-2001_11_05 patch against kernel 2.4.14.  It fixes a number of bugs,
> cleans up some code, and is based on newer versions of the kernel and
> utilities.
>
> The following changes should be carefully noted if you have previously
> installed SELinux:
>
> 1) LSM has renamed all LSM-related configuration options to use a
> CONFIG_SECURITY prefix, and we have done likewise for the SELinux
> kernel option.  This means that old .config files aren't quite right
> anymore.  You can still use them, but you'll need to explicitly enable
> the LSM-related (IP Networking hooks, Capabilities) and SELinux options
> again when you configure (unless you hand edit your old .config file to
> reflect the name changes).
>
> 2) A small change was made to the policydb format, so you need to
> rebuild checkpolicy and recompile your policy with the updated
> checkpolicy program.  Also, if you have customized your policy, you
> need to at least pick up a new initial SID definition (sysctl_net_unix)
> in the initial_sid_contexts file.
>
> 3) The execve_secure system call has been reimplemented via the general
> security system call.  Previously, this system call remained as a
> separate entrypoint due to the inability to access register state
> (needed by execve) from the general security system call, but this was
> undesireable because only the security call is reserved in the
> mainstream kernel.  We found that we could reimplement the
> execve_secure call via the security call by replacing the LSM security
> call entrypoint function with our own architecture-specific entrypoint
> function that can support both execve_secure and all of our other
> calls.  So you must recompile libsecure and relink all applications
> that use exec.*_secure against it (runas, newrole, crond, run_init,
> sshd, login, Mark Westerman's modified gdm).  This will be a nuisance
> for current users, but ensures that you should never have to do so
> again, since the security syscall is reserved, unlike the old separate
> entrypoint for execve_secure.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release is based on the
lsm-full-2001_12_10 patch against kernel 2.4.16 which merges SELinux
into the LSM tree.  Many utilities have been updated to newer versions
to improve compatibility with Red Hat 7.2. Auditing has been revised
for easier parsing and several additional bugs were fixed.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Hi all,

The SELinux mirror at Wiretapped in Sydney, Australia has now been updated
with the new release:

	http://the.wiretapped.net/security/operating-systems/selinux/
	ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

Main archives:

	http://www.wiretapped.net/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-IT Manager @ FNL Communications       (www.fnl.com.au)
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Mon, 10 Dec 2001, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  This release is based on the
> lsm-full-2001_12_10 patch against kernel 2.4.16 which merges SELinux
> into the LSM tree.  Many utilities have been updated to newer versions
> to improve compatibility with Red Hat 7.2. Auditing has been revised
> for easier parsing and several additional bugs were fixed.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype was updated to kernel 2.4.17 and was updated to include a
number of bug fixes and minor enhancements made since the previous
release. A new development (2.5) LSM-based SELinux prototype based on
kernel 2.5.2 was also added to the site.  The original SELinux
prototype (which was not based on LSM) has been reduced to just the
2.2.19 and 2.4.3 kernel patches for historical reference. The technical
report describing the design and implementation of the original 2.2
kernel patch is also still available for historical reference.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

These files are now available at Wiretapped in Sydney, Australia:

http://the.wiretapped.net/security/operating-systems/selinux/
ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Fri, 18 Jan 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype was updated to kernel 2.4.17 and was updated to include a

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype was updated to kernel 2.4.18.  The development (2.5)
LSM-based SELinux prototype was updated to kernel 2.5.6.  The modified
utilities have been updated to Red Hat Linux 7.2-based versions.  A
number of new policy domains have been added and policy restructured.
Support for usbdevfs and work for labeled networking has been added.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The CVS tree at the sourceforge selinux site has been synchronized with
the new release.  As usual, the lsm-2.4, lsm-2.5, and selinux trees can be
found under the 'nsa' directory in CVS.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



On Thu, 14 Mar 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype was updated to kernel 2.4.18.  The development (2.5)
> LSM-based SELinux prototype was updated to kernel 2.5.6.  The modified
> utilities have been updated to Red Hat Linux 7.2-based versions.  A
> number of new policy domains have been added and policy restructured.
> Support for usbdevfs and work for labeled networking has been added.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1056 bytes --]


On Fri, 15 Mar 2002, Westerman, Mark wrote:

> There is a problem with the build in the updated release.
>
> I was to quick and did not figure out the what was causing the
> problem. When doing a make quickinstall (on a clean install of
> RedHat) some install program create install itself as
> /usr/local/selinux/sbin. Since sbin was a program and not
> a directory the make failed

Thanks for the bug report.  The selinux/selopt Makefiles assume that the
/usr/local/selinux hierarchy has been created, and end up installing
binaries as /usr/local/selinux/sbin if that directory has not already been
created.  That was a reasonable assumption for James, because selopt was
originally intended to be installed after an initial install of SELinux.
When we merged it, we didn't fix this.  Sorry.  The attached patch moves
the selopt install after the utils install, at which point this assumption
holds.  Longer term, we should just fix the selopt Makefiles to create
the target directories if necessary.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 2180 bytes --]

Index: Makefile
===================================================================
RCS file: /cvs/lsm/selinux/Makefile,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- Makefile	2002/03/15 15:38:25	1.8
+++ Makefile	2002/03/15 16:26:47	1.9
@@ -22,10 +22,10 @@
 	cd policy && make install
 	@echo "Building and installing libsecure."
 	cd libsecure && make install
-	@echo "Building and installing the SELOPT utils."
-	cd selopt && make LSMVER=$(LSMVER) && make install
 	@echo "Building and installing the modified daemons and the new or modified utilities."
 	cd utils && make install
+	@echo "Building and installing the SELOPT utils."
+	cd selopt && make LSMVER=$(LSMVER) && make install
 	@echo "Installing the application context configuration files."
 	if [ ! -f /etc/security/default_context ]; then install -m 644 utils/appconfig/default_context /etc/security; fi
 	if [ ! -f /etc/security/default_type ]; then install -m 644 utils/appconfig/default_type /etc/security; fi
Index: README
===================================================================
RCS file: /cvs/lsm/selinux/README,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- README	2002/03/15 15:38:25	1.60
+++ README	2002/03/15 16:26:47	1.61
@@ -180,21 +180,21 @@
    make install
    cd ..
 
-7) If you want to experiment with the labeled networking support, then
-   build and install the Selopt utilities:
-   cd selopt
-   make (or make LSMVER=-2.5)
-   su (if not already root)
-   make install
-   cd ..
-
-8) Build and install the modified applications.
+7) Build and install the modified applications.
    If you are running RH7.1, then first edit the utils/Makefile,
    commenting out the LOGROTATE_VER definition for RH7.2 and uncommenting 
    the corresponding definition for RH7.1.
 
    cd utils
    make
+   su (if not already root)
+   make install
+   cd ..
+
+8) If you want to experiment with the labeled networking support, then
+   build and install the Selopt utilities:
+   cd selopt
+   make (or make LSMVER=-2.5)
    su (if not already root)
    make install
    cd ..

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  Two new technical reports are available
in the documentation: a document describing the policy language and a
document describing the current LSM implementation of SELinux.  The
site also includes a new release of the LSM-based SELinux prototype.
The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
The development (2.5) LSM-based SELinux prototype was updated to kernel
2.5.10.  A number of policy improvements, minor feature enhancements
and bug fixes have also been made.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

The Australian mirror of these files has now been updated:

	ftp://ftp.wiretapped.net/sd3a/security/operating-systems/selinux/
	http://the.wiretapped.net/security/operating-systems/selinux/

On Thu, 2 May 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  Two new technical reports are available
> in the documentation: a document describing the policy language and a
> document describing the current LSM implementation of SELinux.  The
> site also includes a new release of the LSM-based SELinux prototype.
> The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
> The development (2.5) LSM-based SELinux prototype was updated to kernel
> 2.5.10.  A number of policy improvements, minor feature enhancements
> and bug fixes have also been made.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002050211) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

export CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

On Thu, 2 May 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  Two new technical reports are available
> in the documentation: a document describing the policy language and a
> document describing the current LSM implementation of SELinux.  The
> site also includes a new release of the LSM-based SELinux prototype.
> The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
> The development (2.5) LSM-based SELinux prototype was updated to kernel
> 2.5.10.  A number of policy improvements, minor feature enhancements
> and bug fixes have also been made.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of
the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype remains at kernel 2.4.18.  The development (2.5) LSM-based
SELinux prototype was updated to kernel 2.5.19.  The MLS support has
been enhanced, although it is still experimental. Support was added for
selecting enforcing mode at boot/insertion time. The extended socket
call processing was encapsulated and made optional. Connection peer SID
lists for accept_secure were implemented.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Russell Coker]

On Fri, 31 May 2002 23:32, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of
> the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype remains at kernel 2.4.18.  The development (2.5) LSM-based

For 2.4.18 the kernel patch doesn't have the recent patches for 
security_get_sids or the patch for sleeping allocation during a policy load.

Is there some problem with these patches?  Or was this an omission?

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Sat, 1 Jun 2002, Russell Coker wrote:

> For 2.4.18 the kernel patch doesn't have the recent patches for
> security_get_sids or the patch for sleeping allocation during a policy load.

I'm not sure what you mean.  I just downloaded the complete lsm-2.4 tree
and the lsm patch from the NSA SELinux web site, and they did include
these patches.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002053110) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

export
CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Russell Coker]

On Mon, 3 Jun 2002 14:53, Stephen Smalley wrote:
> On Sat, 1 Jun 2002, Russell Coker wrote:
> > For 2.4.18 the kernel patch doesn't have the recent patches for
> > security_get_sids or the patch for sleeping allocation during a policy
> > load.
>
> I'm not sure what you mean.  I just downloaded the complete lsm-2.4 tree
> and the lsm patch from the NSA SELinux web site, and they did include
> these patches.

I have checked it again, it seems that I made a mistake.  I may have 
mistakenly used the latest LSM release when comparing instead.

It seems that the version on the NSA site has all the patches plus some new 
socket and MLS support.  I'll have it in Debian tomorrow.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of
the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype remains at kernel 2.4.18.  The development (2.5) LSM-based
SELinux prototype was updated to kernel 2.5.24.  The OpenSSH patch has
been updated to openssh-3.4p1.  The file system labeling support has
been generalized and labeling for kernel-generated IGMP and ICMP
traffic has been added.  Many improvements have been made in the policy
including making many policy sections optional, changing the audit
configuration syntax, adding explicit type attribute declarations, and
merging many contributed domains and policy changes.  The technical
report describing configuration of the policy has also been updated.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

Apologies for the delay.

The Wiretapped mirror of SELinux has now been updated with the most recent
(2002070313) versions:

	http://the.wiretapped.net/security/operating-systems/selinux/

Hope this helps,

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------

On Wed, 3 Jul 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of
> the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Brad Chapman]

Mr. Bayley,

--- Grant Bayley <gbayley@ausmac.net> wrote:
> 
> Apologies for the delay.
> 
> The Wiretapped mirror of SELinux has now been updated with the most recent
> (2002070313) versions:
> 
> 	http://the.wiretapped.net/security/operating-systems/selinux/

      Where is the best place to look for a ChangeLog for this version (i.e.
bugfixes, features, additional policy tweaks, etc.)

> 
> Hope this helps,
> 
> Grant

Thanks,

Brad

> 
> 
> On Wed, 3 Jul 2002, Howard Holm wrote:
> 
> > The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> > list archive has been updated. The site includes a new release of
> > the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> 
> [snip]
> 


=====
Brad Chapman

Permanent e-mails: kakadu_croc@yahoo.com
		   jabiru_croc@yahoo.com
		   tanami_croc@devel.lbsd.net

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

Hi,

This mailing list is usually the best place, the archives of which are
online here:

	http://www.nsa.gov/selinux/list-archive/index.html

Howard's post earlier today also mentions the latest updates etc.

Grant

On Thu, 4 Jul 2002, Brad Chapman wrote:

> Mr. Bayley,
>
[snip]
>       Where is the best place to look for a ChangeLog for this version (i.e.
> bugfixes, features, additional policy tweaks, etc.)


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Brad Chapman]

Mr. Bayley,

--- Grant Bayley <gbayley@ausmac.net> wrote:
> Hi,
> 
> This mailing list is usually the best place, the archives of which are
> online here:
> 
> 	http://www.nsa.gov/selinux/list-archive/index.html
> 
> Howard's post earlier today also mentions the latest updates etc.

         I'm sorry, but I can't seem to find this Mr. Howard's post in the
hypermail archives. Have they been updated yet? (IIRC, they are updated only
when a new release of selinux is made)

> 
> Grant

Brad

> 
> On Thu, 4 Jul 2002, Brad Chapman wrote:
> 
> > Mr. Bayley,
> >
> [snip]
> >       Where is the best place to look for a ChangeLog for this version
> (i.e.
> > bugfixes, features, additional policy tweaks, etc.)
> 
> 
> --
> You have received this message because you are subscribed to the selinux
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


=====
Brad Chapman

Permanent e-mails: kakadu_croc@yahoo.com
		   jabiru_croc@yahoo.com
		   tanami_croc@devel.lbsd.net

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002070313) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.   As usual, you can
access it via:

export
CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Thu, 4 Jul 2002, Brad Chapman wrote:

>       Where is the best place to look for a ChangeLog for this version (i.e.
> bugfixes, features, additional policy tweaks, etc.)

selinux/ChangeLog in the selinux archive available from the download page.
You can also use the sourceforge CVS tree to generate a full diff between
the releases.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Thu, 4 Jul 2002, Brad Chapman wrote:

>          I'm sorry, but I can't seem to find this Mr. Howard's post in the
> hypermail archives. Have they been updated yet? (IIRC, they are updated only
> when a new release of selinux is made)

A new release was made on July 3rd, followed by Howard's announcement
(which naturally won't show up in the archives at the NSA site, as it
occurred after the release).  However, you can see it in the
http://marc.theaimsgroup.com/?l=selinux list archives (and you should have
received a copy if you are subscribed).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype.  The base kernel versions were updated to
2.4.19 and 2.5.31.  The SELinux peer SID functionality was
re-implemented with new sock hooks; the accept_secure call should now
be reliable.  The sysctl hook and /proc/sys labeling were made
configurable.  Other minor enhancements were made including checkpolicy
and the example policy.  Bugs were fixed in auditing logic, PSID
mapping code, and ipc permission hook.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002082308) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

On Sat, 24 Aug 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype.  The base kernel versions were updated to
> 2.4.19 and 2.5.31.  The SELinux peer SID functionality was
> re-implemented with new sock hooks; the accept_secure call should now
> be reliable.  The sysctl hook and /proc/sys labeling were made
> configurable.  Other minor enhancements were made including checkpolicy
> and the example policy.  Bugs were fixed in auditing logic, PSID
> mapping code, and ipc permission hook.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base 2.5 kernel version has been
updated to 2.5.44. The base 2.4 kernel version remains at 2.4.19, but
many changes have been made to the 2.4 LSM patch and to the 2.4 SELinux
module since the last release. The modified login, sshd and crond
programs have been updated to use a new configuration scheme. Socket
handling has been improved. Internally, precondition functions have
been removed in favor of early initialization support. The modified tar
has been updated to tar-1.13.25. A number of other improvements, bug
fixes and policy enhancements have taken place.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002102211) has been imported and merged into the
sourceforge selinux CVS tree under the 'nsa' module.  As usual, you can
check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

On Wed, 23 Oct 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base 2.5 kernel version has been
> updated to 2.5.44. The base 2.4 kernel version remains at 2.4.19, but
> many changes have been made to the 2.4 LSM patch and to the 2.4 SELinux
> module since the last release. The modified login, sshd and crond
> programs have been updated to use a new configuration scheme. Socket
> handling has been improved. Internally, precondition functions have
> been removed in favor of early initialization support. The modified tar
> has been updated to tar-1.13.25. A number of other improvements, bug
> fixes and policy enhancements have taken place.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base kernel versions have been updated
to 2.4.20 and 2.5.51.  Initial SID and context for SCMP packets has been
added.  Additional policy enhancement and patch contributions have been
merged. The logrotate patch has been updated to 3.6.5-2. The private
file oversight in LSM, inode_doinit bug in SELinux, and selopt compile
problems have all been fixed.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen D. Smalley]

The updated release (2002121210) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

On Fri, 12 Dec 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base kernel versions have been updated
> to 2.4.20 and 2.5.51.  Initial SID and context for SCMP packets has been
> added.  Additional policy enhancement and patch contributions have been
> merged. The logrotate patch has been updated to 3.6.5-2. The private
> file oversight in LSM, inode_doinit bug in SELinux, and selopt compile
> problems have all been fixed.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base 2.5 kernel version has been
updated to 2.5.58.  The base 2.4 kernel version remains at 2.4.20, but
the LSM patch and the SELinux module for 2.4 have changed since the last
release.  New contributed policy analysis and policy management tools
have been added to the provided tools and utilities. Hooks for xattr
operations were added to 2.4.  Inode security initialization has been
reworked using the d_instantiate hook.  The nfsd private file bug in 2.4
has been fixed and the task_kill bug in 2.5 has been fixed.  Configuring
the SELinux Policy, a technical report included in the documentation,
has been updated to reflect recent changes.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen D. Smalley]

The updated release (2003011510) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base 2.5 kernel version has been
> updated to 2.5.58.  The base 2.4 kernel version remains at 2.4.20, but
> the LSM patch and the SELinux module for 2.4 have changed since the last
> release.  New contributed policy analysis and policy management tools
> have been added to the provided tools and utilities. Hooks for xattr
> operations were added to 2.4.  Inode security initialization has been
> reworked using the d_instantiate hook.  The nfsd private file bug in 2.4
> has been fixed and the task_kill bug in 2.5 has been fixed.  Configuring
> the SELinux Policy, a technical report included in the documentation,
> has been updated to reflect recent changes.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The example policy has been updated with
enhancements and cleanups.  A number of bugs have been fixed in the
SELinux module.  The updated module is available for the ia32 2.4.20
Linux kernel.   The updated module is also available for both the
mainline 2.5.66 Linux kernel and an LSM patched 2.5.66 Linux kernel. 
The new mainline module also includes work in preparation for a new
SELinux API.  Finally, a port of SELinux to the arm 2.4.19 kernel is
also now available.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Mon, 2003-04-07 at 16:46, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The example policy has been updated with
> enhancements and cleanups.  A number of bugs have been fixed in the
> SELinux module.  The updated module is available for the ia32 2.4.20
> Linux kernel.   The updated module is also available for both the
> mainline 2.5.66 Linux kernel and an LSM patched 2.5.66 Linux kernel. 
> The new mainline module also includes work in preparation for a new
> SELinux API.  Finally, a port of SELinux to the arm 2.4.19 kernel is
> also now available.

The updated release (2003040709) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

I have not imported the new 2.5 mainline-based SELinux or the ARM port
into the sourceforge CVS tree at present, although I can do so if there
is a demand for it.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The base kernel versions have been
updated to 2.5.74 and 2.4.21.  The SELinux API redesign with xattr
support has been completed for the version 2.5 based kernel.  The
SELinux daemon and utility patches have been ported to the new API. 
Support for the AT_SECURE auxv entry was added.  Changes were made to
bprm hook permission checking and nosuid operation.  A report, "Securing
the X Window System with SELinux" was added to documentation discussing
adding SELinux controls to the window system.  Finally, many contributed
patches to tools and policy have been merged and RPM spec files and
SRPMs are now provided.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Christopher J. PeBenito]

I've been trying out the updated kernel patches, and I'm noticing a some
different behavior with the nfs lockd and rpciod.  With this release,
they're starting up in kernel_t:

 1057    344 system_u:system_r:portmap_t              [portmap]
 1135    346 system_u:system_r:rpcd_t                 [rpc.statd]
 1211    346 system_u:system_r:rpcd_t                 [nfsd]
 1212    346 system_u:system_r:rpcd_t                 [nfsd]
 1213    346 system_u:system_r:rpcd_t                 [nfsd]
 1214    346 system_u:system_r:rpcd_t                 [nfsd]
 1215      1 system_u:system_r:kernel_t               [lockd]
 1216      1 system_u:system_r:kernel_t                \_ [rpciod]
 1217    346 system_u:system_r:rpcd_t                 [nfsd]
 1218    346 system_u:system_r:rpcd_t                 [nfsd]
 1219    346 system_u:system_r:rpcd_t                 [nfsd]
 1220    346 system_u:system_r:rpcd_t                 [nfsd]
 1224    346 system_u:system_r:rpcd_t                 [rpc.mountd]

Its causing a couple denials:

avc:  denied  { recvfrom } for  pid=1216 comm=rpciod saddr=127.0.0.1
source=799 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:portmap_t tcontext=system_u:system_r:kernel_t
tclass=udp_socket
avc:  denied  { recvfrom } for  pid=1215 comm=lockd saddr=127.0.0.1
source=800 daddr=127.0.0.1 dest=890 netif=lo
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:kernel_t
tclass=udp_socket
avc:  denied  { recvfrom } for  pid=1135 exe=/sbin/rpc.statd
saddr=127.0.0.1 source=890 daddr=127.0.0.1 dest=800 netif=lo
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:rpcd_t
tclass=udp_socket
avc:  denied  { write } for  pid=1215 comm=lockd lport=32770
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:rpcd_t
tclass=udp_socket

However, I immediately restart with the previous release kerenel, w/o
relabelling or any other change, and they start up in rpcd_t:

 1109    342 system_u:system_r:portmap_t              [portmap]
 1182    344 system_u:system_r:rpcd_t                 [rpc.statd]
 1211    344 system_u:system_r:rpcd_t                 [nfsd]
 1212    344 system_u:system_r:rpcd_t                 [nfsd]
 1213    344 system_u:system_r:rpcd_t                 [nfsd]
 1214    344 system_u:system_r:rpcd_t                 [nfsd]
 1215    344 system_u:system_r:rpcd_t                 [nfsd]
 1216    344 system_u:system_r:rpcd_t                 [nfsd]
 1217    344 system_u:system_r:rpcd_t                 [nfsd]
 1218    344 system_u:system_r:rpcd_t                 [nfsd]
 1220    344 system_u:system_r:rpcd_t                 [lockd]
 1221    344 system_u:system_r:rpcd_t                  \_ [rpciod]
 1224    344 system_u:system_r:rpcd_t                 [rpc.mountd]

Is this intended?


On Fri, 2003-07-11 at 14:41, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The base kernel versions have been
> updated to 2.5.74 and 2.4.21.
-- 
Chris PeBenito
<pebenito@ieee.org>
AIM: PeBenito78
ICQ#: 10434387

"Engineering does not require science. Science helps
a lot, but people built perfectly good brick walls 
long before they knew why cement works."-Alan Cox

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Fri, 2003-07-11 at 19:31, Christopher J. PeBenito wrote:
> I've been trying out the updated kernel patches, and I'm noticing a some
> different behavior with the nfs lockd and rpciod.  With this release,
> they're starting up in kernel_t:
> Is this intended?

Yes, these are kernel threads, and they call reparent_to_init, so their
SID is changed to the kernel SID.  This isn't new to this release.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Bill Laut]

On Friday 11 July 2003 03:41 pm, Howard Holm wrote (in part):
>
> [...]
>
> A report, "Securing the X Window System with SELinux" was added to
> documentation discussing adding SELinux controls to the window system.
>

In addition to the other excellent items he mentioned, this line in Howard's 
announcement especially picqued my interest.  Recently I've been observing a 
cracker breaking into my honeypot by presumably compromising an email server 
I access in order to exploit a buffer overrun in KMail to then launch a 
buffer overrun in XFree86, so s/he can then insert spyware into the running 
kernel.  I qualify this statement because the cracker was leaving artifacts 
on my system but I didn't want to do anything that would let them know that I 
was onto their presence.

This leads me to the question:  While considerable work has been done to 
protect the system from server app compromises, what about protecting the 
system from server-based buffer overrun attacks on clients running under 
SELinux?

Also, is there a way to add types to each of the security services, so that 
compromised network clients can be blocked from becoming "security-aware?"  
For example, let's say I'm running KMail to retrieve my email from a 
latently-malicious email server.  It uses a buffer overrun to compromise my 
email client in order to then probe my security policy by attempting to 
invoke the various security system services and measure the results they 
return (whose summary results are then networked back out to a server 
somewhere on the 'Net).

For those network clients that have no reason to be security-aware, would it 
seem reasonable to audit and/or block their invocation of security system 
services as a possible probe by a compromised client?

Finally, it seems to me that filtching stored email would be a favorite target 
of industrial spies.  Accordingly, I was thinking that some sort of optional 
external abstraction (like, say, a PDA running an appropriate security app) 
might be useful for authorizing access to email files on a per-request basis.  
For example, if you wished to run your favorite email client you would first 
have to run an appropriate security app on your PDA, which then connects via 
the hotsync cradle to SELinux.  Then, as you access your email folders and/or 
Address Book, avc then asks the PDA app (as a trusted third party) whether or 
not to conditionally allow that access to occur.  In practice, the PDA would 
beep and then display a question concerning the access, which the user then 
taps the "allow" or "deny" buttons to resolve.  Should a malicious server 
then compromise the user's email client in order filtch his/her stored email, 
the user will immediately be alerted to this condition by the PDA beeping 
when no such email access should be occuring.  Appropriately, since the 
compromised email client will be patiently waiting for the fopen() service to 
complete, the security kernel would be able to preserve the client's stack 
for later analysis.

Would anyone care to comment on or critique these ideas?  Please pardon me in 
advance if some of the questions seemed obvious, as per my habit I was 
"thinking out loud" while typing them in.

Bill



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Tom]

On Wed, Jul 30, 2003 at 06:03:29PM -0400, Bill Laut wrote:
> This leads me to the question:  While considerable work has been done to 
> protect the system from server app compromises, what about protecting the 
> system from server-based buffer overrun attacks on clients running under 
> SELinux?

Some work has been done in this area. Russell wrote a policy for an irc
client as an example. It should be easy to write one for a mailer along
those lines.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Bill Laut]

On Friday 11 July 2003 03:41 pm, Howard Holm wrote:
>
> [...]
>
> A report, "Securing the X Window System with SELinux" was added to
> documentation discussing adding SELinux controls to the window system.
>

Where is this report located?  I've searched through both the 2.4 and 2.5 kits 
but cannot seem to locate it.

Bill


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Wed, 2003-07-30 at 22:56, Bill Laut wrote:
> On Friday 11 July 2003 03:41 pm, Howard Holm wrote:
> >
> > [...]
> >
> > A report, "Securing the X Window System with SELinux" was added to
> > documentation discussing adding SELinux controls to the window system.
> >
> 
> Where is this report located?  I've searched through both the 2.4 and 2.5 kits 
> but cannot seem to locate it.

http://www.nsa.gov/selinux/x11-abs.html contains links to PDF and
PostScript versions of the document.  That page is linked into the
Documentation page (http://www.nsa.gov/selinux/docs.html), as well as
being directly linked by the What's New page
(http://www.nsa.gov/selinux/news.html).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Russell Coker]

On Thu, 31 Jul 2003 12:45, Tom wrote:
> On Wed, Jul 30, 2003 at 06:03:29PM -0400, Bill Laut wrote:
> > This leads me to the question:  While considerable work has been done to
> > protect the system from server app compromises, what about protecting the
> > system from server-based buffer overrun attacks on clients running under
> > SELinux?
>
> Some work has been done in this area. Russell wrote a policy for an irc
> client as an example. It should be easy to write one for a mailer along
> those lines.

Not that easy.

Using IRC without X access is no great hardship, while using a text based MUA 
loses significant functionality.  X is currently the main area that SE Linux 
does not address yet.

A mail client wants to access mail files under the user's home directory, this 
means that the files in question need a separate type as you don't want the 
mail client to access all the other files in the home directory.  This gives 
the usual issues of mv followed by file creation giving a different type and 
preventing things working in a way that novice users can't debug...

The mail client needs to be able to save files (easily managed) and to invoke 
the web browser and other programs (which may be more difficult).

Finally if using kmail then you have to deal with the kdeinit method of 
program launch...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Tom]

On Fri, Aug 01, 2003 at 01:26:58AM +1000, Russell Coker wrote:
> Using IRC without X access is no great hardship, while using a text based MUA 
> loses significant functionality.  

Uh?
<img content="stupid look on face of an avid mutt user">

> X is currently the main area that SE Linux 
> does not address yet.

True. However, that is not a problem specific to a MUA.


> A mail client wants to access mail files under the user's home directory, this 
> means that the files in question need a separate type as you don't want the 
> mail client to access all the other files in the home directory.  This gives 
> the usual issues of mv followed by file creation giving a different type and 
> preventing things working in a way that novice users can't debug...

I'd do this the same way I did it with my subversion policy: Set up the
mail directory so that only the MUA (running in its own domain) can
access it. That way, the user simply can't mess up file labels.


> The mail client needs to be able to save files (easily managed) and to invoke 
> the web browser and other programs (which may be more difficult).

I've been wanting to create a "downloaded files" domain for netscape
anyways. Did I post about that already? In short, there'd be a
~/Downloads dir with a special type and some auto-trans rules so that
stuff you download and "try out" runs in an untrusted domain, etc.

Maybe we should just create a more general "untrusted files" domain?


> Finally if using kmail then you have to deal with the kdeinit method of 
> program launch...

I smell an SEKDE project on the horizon. From what I've seen, KDE is
way too integrated with itself to behave nicely with SE without changes 
in the KDE code itself.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Bill Laut]

On Thursday 31 July 2003 11:26 am, Russell Coker wrote:
> On Thu, 31 Jul 2003 12:45, Tom wrote:
> > On Wed, Jul 30, 2003 at 06:03:29PM -0400, Bill Laut wrote:
> > > This leads me to the question:  While considerable work has been done
> > > to protect the system from server app compromises, what about
> > > protecting the system from server-based buffer overrun attacks on
> > > clients running under SELinux?
> >
> > Some work has been done in this area. Russell wrote a policy for an irc
> > client as an example. It should be easy to write one for a mailer along
> > those lines.
>
> Not that easy.
>
> Using IRC without X access is no great hardship, while using a text based
> MUA loses significant functionality.  X is currently the main area that SE
> Linux does not address yet.
>

And, IMO, one of the greater dangers since it is/can be installed with 
privilege, so that a latent buffer overrun exploit there could allow an 
attacker unrestrained write access to the kernel itself.

>
> A mail client wants to access mail files under the user's home directory,
> this means that the files in question need a separate type as you don't
> want the mail client to access all the other files in the home directory. 
> This gives the usual issues of mv followed by file creation giving a
> different type and preventing things working in a way that novice users
> can't debug...
>

Or, perhaps, what is needed all along is a security-aware mail client that's 
been properly designed and tested against buffer overruns, so that it can 
specify the type for the files it creates/maintains while at least attempting 
to protect itself from being compromised by an exploit, along with existing 
files being properly relabeled.

>
> The mail client needs to be able to save files (easily managed) and to
> invoke the web browser and other programs (which may be more difficult).
>

Hmm.  This one needs to be thought about...

<tom@lemuria.org> wrote:
>>
>> Finally if using kmail then you have to deal with the kdeinit method of
>> program launch...
>>
>
> I smell an SEKDE project on the horizon.
>

I'm hearing the sound of Pandora's Box opening that I just opened... :-)

>
> From what I've seen, KDE is
> way too integrated with itself to behave nicely with SE without changes 
> in the KDE code itself.
>

I've been looking for an excuse to learn the internals of KDE, so it looks 
like I've found one.  Perhaps the first thing to do is tackle X before going 
after KDE?

Bill


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Russell Coker]

On Fri, 1 Aug 2003 02:26, Bill Laut wrote:
> > Using IRC without X access is no great hardship, while using a text based
> > MUA loses significant functionality.  X is currently the main area that
> > SE Linux does not address yet.
>
> And, IMO, one of the greater dangers since it is/can be installed with
> privilege, so that a latent buffer overrun exploit there could allow an
> attacker unrestrained write access to the kernel itself.

I think that you misunderstood my message.  I was referring to the fact that 
it is impossible to restrict an application which has X access from snooping 
the windows of other X programs or reading the keyboard buffer.

As for the access that the X server program gets, I run X with the FrameBuffer 
driver and it has no access to kernel memory and the only capabilities it has 
which are of note are sys_rawio and sys_admin.  I'm not sure why sys_admin is 
needed, and sys_rawio should not be needed for framebuffer (but the X server 
wants it anyway - probably a bug in the X server).

If we fix these issues then a compromise of the X server should not grant any 
access other than the ability to have total control over the screen and 
keyboard (which is still quite bad).

> > A mail client wants to access mail files under the user's home directory,
> > this means that the files in question need a separate type as you don't
> > want the mail client to access all the other files in the home directory.
> > This gives the usual issues of mv followed by file creation giving a
> > different type and preventing things working in a way that novice users
> > can't debug...
>
> Or, perhaps, what is needed all along is a security-aware mail client
> that's been properly designed and tested against buffer overruns, so that
> it can specify the type for the files it creates/maintains while at least
> attempting to protect itself from being compromised by an exploit, along
> with existing files being properly relabeled.

If we're going to do such things then the best first step would be to have an 
external program establish the POP/IMAP connection and then pass the file 
handle back to the main MUA.  Then the MUA would not have the passwords.  
Also something similar needs to be done for GPG.  Currently MUA's get the 
POP/IMAP passwords and the GPG pass-phrase in normal operation...

> > From what I've seen, KDE is
> > way too integrated with itself to behave nicely with SE without changes
> > in the KDE code itself.
>
> I've been looking for an excuse to learn the internals of KDE, so it looks
> like I've found one.  Perhaps the first thing to do is tackle X before
> going after KDE?

KDE is a much easier thing to work on...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns (was Re: Updated Release)

[Bill Laut]

On Thursday 31 July 2003 07:41 pm, Russell Coker wrote:
> On Fri, 1 Aug 2003 02:26, Bill Laut wrote:
>
> > [My discussion of X's potential kernel access deleted]
> 
> I think that you misunderstood my message.  I was referring to the fact
> that it is impossible to restrict an application which has X access from
> snooping the windows of other X programs or reading the keyboard buffer.
>

Or, in the case of remotely-executing clients, a simple packet sniffer 
somewhere on the network.

I see your point now.  I'll discuss what I think may be a solution below.

>
> As for the access that the X server program gets, I run X with the
> FrameBuffer driver and it has no access to kernel memory and the only
> capabilities it has which are of note are sys_rawio and sys_admin.  I'm not
> sure why sys_admin is needed, and sys_rawio should not be needed for
> framebuffer (but the X server wants it anyway - probably a bug in the X
> server).
>

*light bulb suddenly turns on*   Hmm.....

>
> If we fix these issues then a compromise of the X server should not grant
> any access other than the ability to have total control over the screen and
> keyboard (which is still quite bad).
>

Here's my hypothetical solution to the window/keyboard snooping issue.  As a 
disclaimer, it's been awhile since I seriously hacked inside of X and it 
wasn't within Linux, so what I'm about to propose may be obsolete and/or 
irrelevant.  If so, please correct me.

Also, as a second disclaimer, up until now I've only had about two weeks to 
devote to learning SELinux.  I'm still digesting the syntax and capabilities 
of the various policy elements, let alone trying to write my first 
security-aware test application.  Therefore, if I make any assumptions about 
SELinux that are false, please point them out to me as I get myself up to 
speed.

As I remember it, X resembles something like this:

   [client and/or toolkit] <--> [xlib] <--> [transport] <--> [X server]

Of particular interest is the Transport layer, as it implements the Event and 
Request Queues for X.  Among others, it -can- expand to:

   [client-side Transport] <--> [TCP stream] <--> [server-side Transport]

On some implementations, such as under OpenVMS, this "functional layering" is 
strictly enforced such that multiple Transports are allowed to accomodate X 
sessions over nearly any networking protocol (ie, TCP/IP, DECnet, LAT, etc.), 
as well as having a "local" Transport optimized for clients that are running 
on the same box as the server.  As I understand it, however, in the 
Linux/Unix world allegedly there are some ugly hacks which violate this clean 
separation of layers/functions.

All of that notwithstanding, it would seem to me that X could be made at least 
partially security-aware where the server interfaces with its transport 
layer(s), because that would be the logical place to insert a "gatehouse" 
that not only inspects all incoming X protocol requests from the clients but 
can also distinguish between local and remote clients.

For local clients, the gatehouse could trivially determine the request's 
originating PID and then invoke the appropriate security service to inquire 
if that process' domain is authorized to issue those requests.

For remote clients, the gatehouse could pass along whatever relevant data it 
can collect (IP address, source socket #, etc.).  In the case of labelled 
networking, I'm guessing the gatehouse would have to extend into the 
Transport as well to retrieve that information?

Does this approach sound rational?  Unless I'm overlooking something, it 
should be possible to make X rather fine-grained.

>
> >
> > Or, perhaps, what is needed all along is a security-aware mail client
> > that's been properly designed and tested against buffer overruns, [...]
>
> If we're going to do such things then the best first step would be to have
> an external program establish the POP/IMAP connection and then pass the
> file handle back to the main MUA.  Then the MUA would not have the
> passwords.
>

To express it a different way, what you are proposing is something akin to 
running Sendmail and Qpopper on some a personal web/email server, but without 
the overkill those two apps represent because we would be "shrinking" them 
down to "personal-sized" proxy versions that can run on the same machine as 
the MUA.  This would also "re-direct" any buffer overflow exploits away from 
the MUA and onto the sendmail/qpopper pairing who could be hardened against 
such, while simultaneously extending the effort to the maximum number of MUAs 
available.  Correct?

>
> Also something similar needs to be done for GPG.  Currently
> MUA's get the POP/IMAP passwords and the GPG pass-phrase in normal
> operation...
>

That wouldn't be too hard to do.  In fact, it's something I've been toying 
with since late 2001.  I suggest the idea of using an SELinux-powered PDA for 
that purpose (such as a Sharp Zarus) in which the keyrings and all-important 
asymmetric crypto functions are off-loaded from the PC and moved to the PDA, 
and which the PC and PDA then communicate using an encrypted path through its 
Hotsync cradle.

Furthermore, this functionality could be extended into PAM so that the PDA 
could be used to authenticate the user's access to the PC.  Additionally, to 
appeal to larger organizations we could further leverage the PDA as the 
user's authenticator to the corporate firewall for determining what traffic, 
if any, is allowed access to the outside world, and to any servers for 
determining what access the user is authorized to have.

This may be something to keep in mind as labelled networking evolves beyond 
the experimental stage.

In summary, what I'm seeing is the potential for SELinux to quickly evolve 
into THE premiere security paradigm for Linux.

Obviously, the PDA now becomes the single point of failure in this security 
paradigm.  Accordingly, the only problem remaining is coming up with some 
form of encryption to protect its keyrings, etc. that is more secure than 
that "civilian-grade" AES.

Now, if Stephen knows anyone "down the hall" who could offer us some friendly 
suggestions and/or critique some potential ciphers for us...  ;-)

(Sorry about that, Stephen.  It's Friday and I couldn't resist that obvious 
plumb.)

>
> > > From what I've seen, KDE is
> > > way too integrated with itself to behave nicely with SE without changes
> > > in the KDE code itself.
> >
> > I've been looking for an excuse to learn the internals of KDE, so it
> > looks like I've found one.  Perhaps the first thing to do is tackle X
> > before going after KDE?
>
> KDE is a much easier thing to work on...
>

Interesting.  I had the impression that it's the other way around.

Well, let me finish coming up to speed on SELinux and then I'll tackle the X 
server mods.  Please advise on the design review procedure used by the team 
so that I can be in compliance.

For now, I'm tentatively planning to use the current XFree86 kit (v4.3.0) as 
my base, with the objective of producing xdelta patches to the tgz files that 
interested parties can download and apply to the official XFree86 distro.

Does this sound like a game plan to everyone?

Bill



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns

[Florian Weimer]

Russell Coker <russell@coker.com.au> writes:

> I think that you misunderstood my message.  I was referring to the
> fact that it is impossible to restrict an application which has X
> access from snooping the windows of other X programs or reading the
> keyboard buffer.

There are some X Security Extensions which restrict access to the root
window, windows of other client connections, and potentially dangerous
interfaces.  But I have never seen them in action, and these
restrictions are just an afterthought (added around 1996).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: X-Windows and Client-side Buffer Overruns

[Florian Weimer]

Bill Laut <wlsel@verizon.net> writes:

>> Also something similar needs to be done for GPG.  Currently
>> MUA's get the POP/IMAP passwords and the GPG pass-phrase in normal
>> operation...
>>
>
> That wouldn't be too hard to do.  In fact, it's something I've been toying 
> with since late 2001.  I suggest the idea of using an SELinux-powered PDA for 
> that purpose (such as a Sharp Zarus) in which the keyrings and all-important 
> asymmetric crypto functions are off-loaded from the PC and moved to the PDA, 
> and which the PC and PDA then communicate using an encrypted path through its 
> Hotsync cradle.

PDAs as heavy-weight smartcards?  Why not.

Smartcard support for GnuPG will arrive eventually, and all critical
passphrase/crypto stuff will be moved to gpg-agent, a separate
process.  (Most of this work is already done for GnuPG/X.509, I
suppose.)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the
maillist archive has been updated.  The SELinux module has been merged
into the mainline kernel as of 2.6.0-test3.  This release includes new
kernel patches based on the 2.6.0-test3 kernel and a backport of the 2.6
SELinux module to the 2.4.21 kernel.  The new API is consistent between
2.4 and 2.6.  The old 2.4 API and user-space utilities are no longer
actively maintained.  There have been a number of bug fixes and cleanups
to the library and utilities as well as new contributions to the example
policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Chris PeBenito]

Is this backported 2.6 api non arch-specific, like it is in 2.6?  Or is
it still limited to x86?

On Thu, 2003-08-14 at 06:46, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the
> maillist archive has been updated.  The SELinux module has been merged
> into the mainline kernel as of 2.6.0-test3.  This release includes new
> kernel patches based on the 2.6.0-test3 kernel and a backport of the 2.6
> SELinux module to the 2.4.21 kernel.  The new API is consistent between
> 2.4 and 2.6.  The old 2.4 API and user-space utilities are no longer
> actively maintained.  There have been a number of bug fixes and cleanups
> to the library and utilities as well as new contributions to the example
> policy.
-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[James Carter]

On Thu, 2003-08-14 at 12:14, Chris PeBenito wrote:
> Is this backported 2.6 api non arch-specific, like it is in 2.6?  Or is
> it still limited to x86?

It is not architecture specific, but it has only been tested on x86.  

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  SELinux kernel patches for 2.6.0-test6
and 2.4.21 are available.  The updated kernel patches include support
for an selinux boot parameter and improved auditing.  A number of
bugfixes and improvements have been integrated into the user space tools
and utilities.  SRPMs for newer Red Hat packages are available.  The
star package has been added.  The example policy has been updated. 
Improvements have been made to existing policy tools, and a new policy
analysis tool has been added.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Andreas Schuldei]

* Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> The
> star package has been added.

is that the tar which was enhanced for backing up selinux
attributes?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Fri, 2003-10-03 at 02:47, Andreas Schuldei wrote:
> * Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> > The
> > star package has been added.
> 
> is that the tar which was enhanced for backing up selinux
> attributes?

It is not the patched tar program from the old SELinux.
Instead, it is a patched form of Joerg Schilling's star(1) archiver.  He
has incorporated the EA support into the upstream star, so we are able
to leverage that support for storing the SELinux attributes in the
archive, but there is a small SELinux-specific patch to use the SELinux
API to create extracted files immediately with their SELinux security
context (rather than having to set the security context _after_ creating
the file), since the xattr API does not support that functionality.
	
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

Andreas Schuldei wrote:

>* Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
>  
>
>>The
>>star package has been added.
>>    
>>
>
>is that the tar which was enhanced for backing up selinux
>attributes?
>
yes

>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>

[-- Attachment #2: Type: text/html, Size: 1132 bytes --]

Re: Updated Release

[Andreas Schuldei]

* Stephen Smalley (sds@epoch.ncsc.mil) [031003 15:45]:
> On Fri, 2003-10-03 at 02:47, Andreas Schuldei wrote:
> > * Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> > > The
> > > star package has been added.
> > 
> > is that the tar which was enhanced for backing up selinux
> > attributes?
> 
> It is not the patched tar program from the old SELinux.
> Instead, it is a patched form of Joerg Schilling's star(1) archiver.  He
> has incorporated the EA support into the upstream star, so we are able
> to leverage that support for storing the SELinux attributes in the
> archive, but there is a small SELinux-specific patch to use the SELinux
> API to create extracted files immediately with their SELinux security
> context (rather than having to set the security context _after_ creating
> the file), since the xattr API does not support that functionality.

you mention the xattr api. can this tar be uses to restore
systems or parts of a system, bridging the 2.4 -> 2.6 switch? Or
is it only good for the version of selinux the backup was created
with?

i did not find the rpm (or srpm or tar) file for star on the
download page. what is the url to it?

and who has a backup script, switching from admin to backup
context, and backing up stuff?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Sat, 2003-10-04 at 07:40, Andreas Schuldei wrote:
> you mention the xattr api. can this tar be uses to restore
> systems or parts of a system, bridging the 2.4 -> 2.6 switch? Or
> is it only good for the version of selinux the backup was created
> with?

The star program only works with extended attributes and (with the
SELinux patch) with the new SELinux API.  The old SELinux API was never
supported by star.  Also, just to be clear, the API and implementation
changes to SELinux (including the use of xattr) were back ported to
Linux 2.4, so there is no difference in API or xattr usage between the
current 2.4-based and 2.6-based SELinux.  The old SELinux has been moved
to the historical versions page and is no longer maintained, at least
not by us.

Upgrading an existing system from the old SELinux to the new SELinux
seamlessly is complicated; see the earlier discussions on the list
regarding it, e.g.
http://marc.theaimsgroup.com/?l=selinux&m=106156668426416&w=2

> i did not find the rpm (or srpm or tar) file for star on the
> download page. what is the url to it?

You can obtain any of the SRPMS for the patched daemons and utilities
from http://www.nsa.gov/selinux/SRPMS.  Sorry, we'll add an explicit
link for the star patch and SRPM to the download page next time.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Tom]

On Mon, Oct 06, 2003 at 10:20:20AM -0400, Stephen Smalley wrote:
> Upgrading an existing system from the old SELinux to the new SELinux
> seamlessly is complicated; see the earlier discussions on the list
> regarding it, e.g.
> http://marc.theaimsgroup.com/?l=selinux&m=106156668426416&w=2

On Debian, it's not that hard if you can live with running it in 
non-SELinux or at least permissive mode during the update. I've just 
done it to my notebook last week. Here's a short step-by-step guide:

http://selinux.lemuria.org/install-2.6.html

It doesn't explicitly say so, but the system was a 2.4.21 SELinux
system when I started out.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base kernel versions have been updated
to 2.4.23 and 2.6.0-test11. In 2.6.0-test11 controls have been added for
inheritance of signal-related state and resource limits and the network
interface and node controls have been reimplemented.  SysVinit has been
patched to eliminate the need for a modified initrd.  Login now uses a
pam_selinux module.  Many other updates have been made to the tools,
utilities and userland patches.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated and redesigned.  The base kernel versions
have been updated to 2.4.24 and 2.6.3.  The 2.6.3 kernel patches include
significant enhancements including port-based controls, mount context
options, and conditional policy extensions.  libselinux now includes
code for a userspace AVC and discovers the selinuxfx mount point at
runtime.  Many other updates and bugfixes have been applied.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. OpenPGP signatures are now available for
released code. The site includes a new release of the SELinux prototype.
Experimental SELinux NFS code has been made available. The base kernel
version for 2.4 has been updated to 2.4.25. The base version for 2.6
remains 2.6.3, but the SELinux patch has been updated.  Among the
improvements in this release: Fine-grained boolean labeling support has
been merged. The userspace AVC has been enhanced to handle netlink
selinux notifications. MLS improvements have been merged as well as
updates to slat and the example policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Updated Release

[James Carter]

On Fri, 2004-03-12 at 13:34, Howard Holm wrote: 
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. OpenPGP signatures are now available for
> released code. The site includes a new release of the SELinux prototype.
> Experimental SELinux NFS code has been made available. The base kernel


The experimental SELinux NFS patch consists of both a kernel patch and 
userland patches.  The userland patches include a patch to mount adding
a selinuxnfs filesystem type, a xattr mount option, and a selinux mount
option.  There is also has a patch to exportfs to add a selinux export
option.  See the README in the nfs-usr archive for instructions.

The SELinux NFS patch modifies NFS v3 and the SELinux module.  Some of
the modifications:
1.  The client can get and set extended attributes on the server.  (Not
limited to just security.selinux attributes.)
2.  The client labels the security contexts of the selinuxnfs inodes
with the security context received from the server.
3.  The client sends the security context of the process to the server.
4.  The server uses the security context of the process on the client to
make security decisions.
5.  More permission checking on the client and the server.  (Ex.  Not
bypassing access calls to server if it is not an open or access.)

There are still the following limitations:
1.  The client and server need to have essentially the same policy.
2.  The client does not revalidate the security contexts for the NFS
inodes.  If the security context on the server is changed or from
another client, it will not be reflected on the client.  If the change
is made on the client, then the client and server will have the correct
context.  I am currently working on a fix for this.
3.  The fs create context is not currently passed to the server, so it
depends on the client to set the context after the fact, widening the
window where the file exists in the default type.  I am also currently
working on a fix for this.
4.  Due to caching by the client, there is a strong dependence on the
client to enforce the policy; the server can only directly mediate the
initial request for data before it is cached and is also limited by the
protocol.

Note that this patch does not address the RPC socket creation issue
encountered by Stephen Tweedie of Red Hat; addressing that also requires
a separate patch for sock_create.
  
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 487 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.5. IPv6 support has been added. A new sestatus utility is
available.  A number of bugs have been fixed and many updates have been
made to the example policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 707 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.6. Several races and kernel socket creation have been fixed and a
runtime disable has been added. The old linux 2.4-based kernel patch has
been ported to 2.4.26. The userland patches have been updated from
Fedora Core 2 development. There are now man pages for libselinux. X
server security classes and access vector definitions were added and
many policy updates were made.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Updated Release

[Stephen Smalley]

On Thu, 2004-05-13 at 19:10, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
> site includes a new release of the SELinux prototype. The current
> prototype and the experimental NFS code are now based on Linux kernel
> 2.6.6. Several races and kernel socket creation have been fixed and a
> runtime disable has been added. The old linux 2.4-based kernel patch has
> been ported to 2.4.26. The userland patches have been updated from
> Fedora Core 2 development. There are now man pages for libselinux. X
> server security classes and access vector definitions were added and
> many policy updates were made.

The sourceforge CVS tree has been updated for this release.  Please note
that this is the last planned release for the 2.4-based SELinux; a
snapshot of it will move to the historical versions page in future
releases and no further maintenance on it will be done.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.7. Fine-grained netlink classes and permissions have been added.
Many enhancements and bugfixes for policy as well as userland tools
including slat and setools have been incorporated.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]