Virtualization and SELinux

Virtualization and SELinux

[Jaspreet Singh]

Hi, 

I am have my box up and running with (customized) targeted-selinux
policies ( spl. thanx to Stephen Smalley and Colin Walters ;-)

But, now I am stuck in issues of selinux with virtualization. I need to
virtualize my box to support multiple sites (name and ip-based) e.g

/home/virtual/siteNum/etx/passwd ..
/home/virtual/siteNum/home/USERS .. 

and different sites can have same user name right ... and these users
can easily be looked against multiple passwd for normal authentication.
But how bout SELinux ..  i know even the /usr/sbin/genhomedircon can be
modified to look into different passwd's ... but what bout the
selinux-policy ??? It can obviously not have same user names for
different users right ????

I can also insert dummy users in /etc/passwd which are unique and have
same uid/gid as /home/virtual/siteNum/etc/passwd users. So that the
selinux user name is different from the linux user name.

But will login understand this problem ??? Could anyone explain me the
behavior of login in this context ....


Jaspreet


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Virtualization and SELinux

[Luke Kenneth Casson Leighton]

jaspreet, hi,

i think what you will need to do is to apply selinux permissions
to the chrooted environment [try it!]:

1) copy (cp -ax) /etc/selinux/ and /usr/share/selinux to
   /home/virtual/siteNum

2) chroot /home/virtual/siteNum /bin/bash

3) cd /etc/selinux/src as usual

4) run make relabel.

5) delete /usr/share/selinux.

alternatively, if you don't want to copy /usr/share/selinux over
in the first place, cp -ax /etc/selinux to /home/virtual/siteNum
then do the chroot, then manually do:

setfiles /etc/selinux/src/file_contexts/file_contexts /

i do something similar to this from a boot / recovery CD, already.

i _expect_ that then programs which are in the chroot environment will
act as normal.

the only thing that you _might_ have to do is add to the [non-chrooted!]
selinux policy a .te and .fc for a shell program to be used in
/etc/passwd which can chroot your users and drop them into the right
user context: i don't know exactly what to suggest there.


btw by doing the chrooted environment you should, in 1) above,
ONLY set up and copy over a subset of the policy which is
APPROPRIATE for the users for /home/virtual/siteNum.

then you might be able, of course, to remove things not needed
from the "main" policy.

l.


On Wed, Oct 20, 2004 at 05:40:25PM +0530, Jaspreet Singh wrote:
> Hi, 
> 
> I am have my box up and running with (customized) targeted-selinux
> policies ( spl. thanx to Stephen Smalley and Colin Walters ;-)
> 
> But, now I am stuck in issues of selinux with virtualization. I need to
> virtualize my box to support multiple sites (name and ip-based) e.g
> 
> /home/virtual/siteNum/etx/passwd ..
> /home/virtual/siteNum/home/USERS .. 
> 
> and different sites can have same user name right ... and these users
> can easily be looked against multiple passwd for normal authentication.
> But how bout SELinux ..  i know even the /usr/sbin/genhomedircon can be

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Virtualization and SELinux

[Luke Kenneth Casson Leighton]

On Wed, Oct 20, 2004 at 04:10:31PM +0100, Luke Kenneth Casson Leighton wrote:

> the only thing that you _might_ have to do is add to the [non-chrooted!]
> selinux policy a .te and .fc for a shell program to be used in
> /etc/passwd which can chroot your users and drop them into the right
> user context: i don't know exactly what to suggest there.

 ... btw it would be helpful for you to describe exactly how
 and where you are doing the chrooting.

 l.

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Overlay Filesystem and SELinux

[Jaspreet Singh]

Hi , 

Thanx for the help .. so far so good I am on track with my
"Virtualization and SELinux" ;-)

I am trying to implement a overlay-fs with selinux and got struck in a
problem.

Overlay-fs (for those who are unaware) virtually lets to write to a
read-only fs. like if you say ...

mount -t overlay -o dir1=/base,dir2=/storage /base /target

so all the efforts to write base are directed towards the storage. So if
i try and write to a writable-file in base say 

/target/etc/httpd/conf then the new file would be created in the storage
with complete path till that file ... so the initially empty storage
will have /storage/etc/httpd/conf.

But the problem is the newly created directory /storage/etc inherits
security context from /storage :-)

I know this was expected .. but is there any way to override it so that
.... a new directories and files (etc var etc) inside the storage gets
tagged with specific context like etc_t and var_t.

type_transition can only help putting same tag on all etc/ and var/ as
there is same kernel_t process creating them.

second thing possible is .. if i create skeleton directories inside
storage and tag them properly.

What do you say...
Thanx
Jaspreet


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Overlay Filesystem and SELinux

[Jaspreet Singh]

Hi,

I was initially involved in creating a unionfs (of BSD) for Linux. This
project was called "mini_fo". Search google for results.


That project is now .. not maintained .. and now I am involved in a much
more sophisticated implementation called - "unionfs" . Check this link -
www.fsl.cs.sunysb.edu/project-unionfs.html

Unionfs was initially only for 2.4 kernel, but i recently ported it to
2.6. The port is not official yet. But, its working.

> I'd love to use your overlay-fs when I needed to setup some virtual
> boxes. This is a great tool for virtualization. You can use this to
> manage a group of virtual hosts more easily (for example installing new
> software on them or upgrading existing)
> Do you also have some "hiding" features? With your concept right now,
> none of the overlayed files can be deleted. Or do you have a way of
> signalling that?
> 

Yups, it has all BSD unionfs/union-mount features. My 2.6 port is not
selinux compatible yet .. but would be in some time.


> How do you create the whole path? just by doing a number of mkdirs? IMHO
> you should copy the xattr attributes from the overlayed directories
> here. As long as you are inside the kernel, doing so shouldn't be too
> hard.
> 

nope .. just union mount some already mounted directories(called
branches) on a mount point and then any lookups/writes on mount-points
would follow COW semantics. And changes would be written to the topmost
RW branch. 

Howz it.

Greetings and Mary Christmas,
Jaspreet
-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Overlay Filesystem and SELinux

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 1026 bytes --]

On Sun, Dec 26, 2004 at 02:11:00PM +0530, Jaspreet Singh wrote:
> I was initially involved in creating a unionfs (of BSD) for Linux. This
> project was called "mini_fo". Search google for results.
> 
> That project is now .. not maintained .. and now I am involved in a much
> more sophisticated implementation called - "unionfs" . Check this link -
> www.fsl.cs.sunysb.edu/project-unionfs.html
> 
> Unionfs was initially only for 2.4 kernel, but i recently ported it to
> 2.6. The port is not official yet. But, its working.

Brilliant. I have been waiting for this quite literally
for years. What are the chances it will go into the
main kernel tree?

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Overlay Filesystem and SELinux

[Jaspreet Singh]

Hi,

On Sun, 2004-12-26 at 12:54 +0000, Dale Amon wrote:
> > That project is now .. not maintained .. and now I am involved in a much
> > more sophisticated implementation called - "unionfs" . Check this link -
> > www.fsl.cs.sunysb.edu/project-unionfs.html
> > 
> > Unionfs was initially only for 2.4 kernel, but i recently ported it to
> > 2.6. The port is not official yet. But, its working.
> 
> Brilliant. I have been waiting for this quite literally
> for years. What are the chances it will go into the
> main kernel tree?

Thanx :) , Yes the official maintainers can answer that question better.
For all i know unionfs is been publicized at lkml and there are talks
for the same.

Till recently, it just seemed to be an academic project. But now it has
gained momentum. I have used and extended 3 overlay file-systems .. and
this one seemed to be most promising and stable.

It has some very good features like - adding/removing branches (i.e
directories ) from a union.

But, i am just a fresh grad .. probably people out there and judge this
file-system better.

Currently my port works on 2.6.0 -to- 2.6.9 kernels .. but maintainers
are reviewing it .. would work on it.

Thanx,
Jaspreet

-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Overlay Filesystem and SELinux

[Jaspreet Singh]

Hi Luke,

On Mon, 2004-12-27 at 10:27 +0000, Luke Kenneth Casson Leighton wrote:
> are the knoppix team aware of it?
> 
well no ... I am in touch with Tomas Matejicek of www.linux-live.org I
think i would mail and check response. Anyone in touch with them ???

I am studying selinux implementation in 2.6 kernels .. anyone with
revelent docs .. the one on nsa website is stale.

Thanx,
Jaspreet

> On Mon, Dec 27, 2004 at 12:09:10AM +0530, Jaspreet Singh wrote:
> 
> > Hi,
> > 
> > On Sun, 2004-12-26 at 12:54 +0000, Dale Amon wrote:
> > > > That project is now .. not maintained .. and now I am involved in a much
> > > > more sophisticated implementation called - "unionfs" . Check this link -
> > > > www.fsl.cs.sunysb.edu/project-unionfs.html
> > > > 
> > > > Unionfs was initially only for 2.4 kernel, but i recently ported it to
> > > > 2.6. The port is not official yet. But, its working.
> > > 
> > > Brilliant. I have been waiting for this quite literally
> > > for years. What are the chances it will go into the
> > > main kernel tree?
> > 
> > Thanx :) , Yes the official maintainers can answer that question better.
> > For all i know unionfs is been publicized at lkml and there are talks
> > for the same.
> > 
> > Till recently, it just seemed to be an academic project. But now it has
> > gained momentum. I have used and extended 3 overlay file-systems .. and
> > this one seemed to be most promising and stable.
> > 
> > It has some very good features like - adding/removing branches (i.e
> > directories ) from a union.
> > 
> > But, i am just a fresh grad .. probably people out there and judge this
> > file-system better.
> > 
> > Currently my port works on 2.6.0 -to- 2.6.9 kernels .. but maintainers
> > are reviewing it .. would work on it.
> > 
> > Thanx,
> > Jaspreet
> > 
> > -- 
> > 
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> 
-- 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Overlay Filesystem and SELinux

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]

On Mon, Dec 27, 2004 at 12:09:10AM +0530, Jaspreet Singh wrote:
> Thanx :) , Yes the official maintainers can answer that question better.
> For all i know unionfs is been publicized at lkml and there are talks
> for the same.
> 
> Till recently, it just seemed to be an academic project. But now it has
> gained momentum. I have used and extended 3 overlay file-systems .. and
> this one seemed to be most promising and stable.
> 
> It has some very good features like - adding/removing branches (i.e
> directories ) from a union.

If anyone hasn't seen it already, there is an article
on unionfs in this month's Linux Journal.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]