Trivial debian bootscript for selinuxfs on 2.6

Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

In case anyone might find it useful, or if it saves Colin
five minutes on his next release, here is the bootscript
I wrote to handle getting selinuxfs mounted on /.

I was undecided as to whether to actually have the
reload/restart or not, or even whether it made sense
to have a stop that dismounts selinuxfs. I'm agnostic
on it.

It should be linked into rcS.d as S0Selinux -> ../init.d/Selinux

So FWIW...

[-- Attachment #2: 20030916-etc_initd_Selinux --]
[-- Type: text/plain, Size: 695 bytes --]

#! /bin/sh
#
# Selinux	Mount the selinux fs.
#		Written by Dale Amon <amon@islandone.org>.
#
# Version:	@(#)Selinux  1.0.0  15-Sep-2003  amon@vnl.com
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=Selinux

set -e

case "$1" in
  start)
	echo -n "Mounting selinuxfs"
	mount -t selinuxfs none /selinux
	echo "."
	;;
  stop)
	echo -n "Unmounting selinuxfs"
	umount -t selinuxfs
	echo "."
	;;
  reload|restart|force-reload)
	echo -n "Restarting $DESC: $NAME"
	umount -t selinuxfs
	mount -t selinuxfs none /selinux
	echo "."
	;;
  *)
	N=/etc/init.d/$NAME
	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
	echo "Usage: $N {start|stop|restart|force-reload}" >&2
	exit 1
	;;
esac

exit 0

Re: Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

On Tue, Sep 16, 2003 at 04:54:39PM +0100, Dale Amon wrote:
> It should be linked into rcS.d as S0Selinux -> ../init.d/Selinux

Correction, I mean:

	S00Selinux

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Russell Coker]

On Wed, 17 Sep 2003 01:54, Dale Amon wrote:
> In case anyone might find it useful, or if it saves Colin
> five minutes on his next release, here is the bootscript
> I wrote to handle getting selinuxfs mounted on /.

I suggest also reloading the policy in the same script (see my previous 
message about initrd policy).

> I was undecided as to whether to actually have the
> reload/restart or not, or even whether it made sense
> to have a stop that dismounts selinuxfs. I'm agnostic
> on it.

It has occurred to me that if you were to use a NBD or similar device for a 
root fs then you might want to do a pivot_root in the shutdown to umount root 
properly, and therefore umounting any file systems under / will be helpful.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

On Wed, Sep 17, 2003 at 08:36:48PM +1000, Russell Coker wrote:
> I suggest also reloading the policy in the same script (see my previous 
> message about initrd policy).

No problem. I actually had it there but decided it was
redundant and removed it. I'll add it back since I 
really had not strong feelings about it.

If the policy version changes from policy.15, presumably 
there is a package update anyway, so that doesn't seem
a problem.
 
> It has occurred to me that if you were to use a NBD or similar device for a 
> root fs then you might want to do a pivot_root in the shutdown to umount root 
> properly, and therefore umounting any file systems under / will be helpful.

But how would you know whether you needed to re-pivot 
or not? What if you have booted your maintenance kernel
or some other that doesn't pivot? The boot script would
have to recognize that. I haven't got the test machine
booted at the moment so I can't check it the initrd mount
has a unique feature that you can find in /proc/mounts.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

On Wed, Sep 17, 2003 at 12:10:27PM +0100, Dale Amon wrote:
> But how would you know whether you needed to re-pivot 
> or not? What if you have booted your maintenance kernel
> or some other that doesn't pivot? The boot script would
> have to recognize that. I haven't got the test machine
> booted at the moment so I can't check it the initrd mount
> has a unique feature that you can find in /proc/mounts.

I suppose you could check for the exitence of an /initrd
mount and then check that /initrd/selinux exists.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Russell Coker]

On Wed, 17 Sep 2003 21:10, Dale Amon wrote:
> On Wed, Sep 17, 2003 at 08:36:48PM +1000, Russell Coker wrote:
> > I suggest also reloading the policy in the same script (see my previous
> > message about initrd policy).
>
> No problem. I actually had it there but decided it was
> redundant and removed it. I'll add it back since I
> really had not strong feelings about it.

If the policy is the same it doesn't do that much harm to reload it.  It will 
slightly hurt performance and operations such as video playing might glitch 
as a result, but this doesn't matter during the boot process.

> > It has occurred to me that if you were to use a NBD or similar device for
> > a root fs then you might want to do a pivot_root in the shutdown to
> > umount root properly, and therefore umounting any file systems under /
> > will be helpful.
>
> But how would you know whether you needed to re-pivot
> or not? What if you have booted your maintenance kernel
> or some other that doesn't pivot? The boot script would
> have to recognize that. I haven't got the test machine
> booted at the moment so I can't check it the initrd mount
> has a unique feature that you can find in /proc/mounts.

The problem of re-pivoting would have to be dealt with in the shutdown scripts 
for such as NBD type device.  As I never got around to implementing such 
support for root on network devices I never wrote shutdown scripts.  However 
I would like to have things be in reasonable shape so that if I won't 
experience excessive pain if/when I do it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

On Wed, Sep 17, 2003 at 10:43:31PM +1000, Russell Coker wrote:
> The problem of re-pivoting would have to be dealt with in the shutdown scripts 
> for such as NBD type device.  As I never got around to implementing such 
> support for root on network devices I never wrote shutdown scripts.  However 
> I would like to have things be in reasonable shape so that if I won't 
> experience excessive pain if/when I do it.

The more I think about it, the less I'm sure of what
to do. I brought my test bed back on line and did a bit
of looking around.

/initrd is gone after boot up, so I can't use anything 
about it as an indicator; also I can't then pivot back to
it. I can detect that an initrd must have occurred at boot
because there is an selinuxfs which wouldn't exist if I
hadn't booted from selinux.

But even that isn't quite good enough. The boot script
should not try to mount /selinux at all unless the
kernel is an selinux enabled one. I'm not quite sure
how to detect that... wait, hold on thar.... 2.6.0
kernels put the .config into /proc. Hmmm... let me
think on that!




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trivial debian bootscript for selinuxfs on 2.6

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 371 bytes --]

Okay, here's a second pass with most of what Russ asked for.
I didn't consider the pivot_root yet. That would also have
to worked out with Colin, and since set up the whole of the
selinux mkinitrd and policy infrastructure packages, he's
the one to think about how this all fits.

Here's the second cut. Note the questions I have on the
timing of this at halt/reboot.




[-- Attachment #2: Selinux --]
[-- Type: text/plain, Size: 1840 bytes --]

#! /bin/sh
#
# Selinux	Mount the selinux fs.
#		Written by Dale Amon <amon@islandone.org>.
#
# Version:	@(#)Selinux  1.0.0  15-Sep-2003  amon@vnl.com
#               @(#)Selinux  1.0.1  17-Sep-2003  amon@vnl.com
#
# Recommended levels:
#		update-rc.d Selinux start 00 S . stop 99 0 6 .
#
# Note: It should run before anything else at boot time; it
#       should be the very last thing down at halt or reboot.
#
#       One could have a rc0.d/K99XXXXX that executed after it.
#       Also, all of the rc0.d/S* scripts run after it and we
#       have no way to make a kill script be the last thing 
#       after Starts, short of a serious kludge I can think of
#       by using a second script, S99XXXXXX that calls 
#       Selinux stop.
#       Could this cause any problems, security or otherwise?
#

PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=Selinux
SELF=/etc/init.d/$NAME
POLICY=/etc/security/selinux/policy.15
LOADPOLICY=/usr/sbin/load_policy

set -e

function can_load_policy () {
    if [ ! -x $LOADPOLICY ]; then
	return 0
    fi
    if [ ! -f $POLICY ]; then
       echo "Failed."
       echo -n "...Cannot find $POLICY, try: make -C /etc/selinux install"
       return 0
    fi
    return 1
}

function do_load_policy () {
   echo -n "Reloading policy"
   if can_load_policy; then
        $LOADPOLICY $POLICY || (echo -n "...Policy load failed")
   fi
   echo "."
}

case "$1" in
  start)
	echo "Mounting selinuxfs."
	mount -t selinuxfs none /selinux
	do_load_policy;
	;;

  stop)
	echo -n "Unmounting selinuxfs."
	umount -t selinuxfs /selinux
	echo "."
	;;

  reload|force-reload)
	do_load_policy;
	;;

  restart)
	echo "Remounting selinuxfs."
	umount -t selinuxfs /selinux
	mount  -t selinuxfs none /selinux
	do_load_policy;
	;;

  *)
	echo "Usage: $SELF {start|stop|restart|reload|force-reload}" >&2
	exit 1
	;;
esac

exit 0