setfiles and non-SE systems

setfiles and non-SE systems

[Russell Coker]

lstat64("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lgetxattr("/", "security.selinux", 0x84789a0, 255) = -1 EOPNOTSUPP (Operation 
no
t supported)
dup(2)                                  = 3
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0
x4001a000
_llseek(3, 0, 0xbfffe640, SEEK_CUR)     = -1 ESPIPE (Illegal seek)
write(3, "/: Operation not supported\n", 27) = 27
close(3)                                = 0
munmap(0x4001a000, 4096)                = 0
write(2, "setfiles:  unable to obtain attr"..., 49) = 49

Above is part of the strace output from trying to run setfiles on a non-SE 
system (kernel 2.4.22 with the ACL patch but no SE patch).

It appears that if we had a kernel patch to provide the security.selinux name 
space as a regular xattr on non-SE systems then we could label the file 
system before installing a SE Linux kernel.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and non-SE systems

[Stephen Smalley]

On Mon, 2003-12-01 at 05:02, Russell Coker wrote:
> Above is part of the strace output from trying to run setfiles on a non-SE 
> system (kernel 2.4.22 with the ACL patch but no SE patch).
> 
> It appears that if we had a kernel patch to provide the security.selinux name 
> space as a regular xattr on non-SE systems then we could label the file 
> system before installing a SE Linux kernel.

Right, if the xattr handlers for the security namespace were added to
the EA/ACL patches, then you could assign the security.selinux
attributes on a kernel with only those patches.  However:
- that still requires a patched kernel (unless those patches
get upstreamed to mainline 2.4)
- If you are going to build a patched kernel, then you might as
well build a SELinux kernel and just boot with selinux=0 to perform the
initial labeling.  Same end result, a kernel that has the xattr handler
but isn't running SELinux.

I think that Jim Carter tried posting patches to the acl-devel list to
get the security xattr handler added a while back, but the list seems to
be down.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and non-SE systems

[Dale Amon]

On Mon, Dec 01, 2003 at 09:42:23AM -0500, Stephen Smalley wrote:
> Right, if the xattr handlers for the security namespace were added to
> the EA/ACL patches, then you could assign the security.selinux
> attributes on a kernel with only those patches.  However:
> - that still requires a patched kernel (unless those patches
> get upstreamed to mainline 2.4)
> - If you are going to build a patched kernel, then you might as
> well build a SELinux kernel and just boot with selinux=0 to perform the
> initial labeling.  Same end result, a kernel that has the xattr handler
> but isn't running SELinux.

Point taken. I probably could live with that... 

Question though: I take it that all that is needed is
the EA/ACL security attributes. Like the handler
I did for reiserfs I take it? 

Anyway Steve, thanks for the ideas. I'm going to go
off and look into approaches based on the above and
see if it works out for me.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and non-SE systems

[Stephen Smalley]

On Mon, 2003-12-01 at 14:14, Dale Amon wrote:
> Point taken. I probably could live with that... 
> 
> Question though: I take it that all that is needed is
> the EA/ACL security attributes. Like the handler
> I did for reiserfs I take it? 
> 
> Anyway Steve, thanks for the ideas. I'm going to go
> off and look into approaches based on the above and
> see if it works out for me.

The handlers are already in 2.6.  So you can build a 2.6 kernel with the
handlers and no SELinux without any patching (or you can just take a 2.6
SELinux kernel and boot with selinux=0).  For 2.4, Jim Carter does have
separate patches to add the xattr security handlers for ext2 and ext3 to
the EA/ACL patches, so if you want those patches, he can just send them
to you.  Or, you can just build a 2.4 SELinux kernel and boot with
selinux=0.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setfiles and non-SE systems

[Dale Amon]

On Mon, Dec 01, 2003 at 02:23:13PM -0500, Stephen Smalley wrote:
> The handlers are already in 2.6.  So you can build a 2.6 kernel with the
> handlers and no SELinux without any patching (or you can just take a 2.6
> SELinux kernel and boot with selinux=0).  For 2.4, Jim Carter does have
> separate patches to add the xattr security handlers for ext2 and ext3 to
> the EA/ACL patches, so if you want those patches, he can just send them
> to you.  Or, you can just build a 2.4 SELinux kernel and boot with
> selinux=0.

I'll probably go the 2.6.0-test10 route. I'm in the
process of upgrading my workstation and some other
machines to debian sarge dist so since I'll probably
break everything tonight anyway, I might as well do
that at the same time.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.