modules needed to be compiled in for selinux to work

modules needed to be compiled in for selinux to work

[Luke Kenneth Casson Leighton]

hi,

debian's 2.6.9 kernel has selinux - and capabilities - as modules.

i was wondering: which gets run first, /sbin/init or modprobe
capability from /etc/modules?

i think the question is fairly obviously /sbin/init but i want to be
absolutely sure.

in other words, is CONFIG_CAPABILITY=m stopping selinux from
working in debian's 2.6.9 kernel?

or am i on the wrong track altogether?

ta,

l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Richard Troth]

On Sun, 2 Jan 2005, Luke Kenneth Casson Leighton wrote:
> debian's 2.6.9 kernel has selinux - and capabilities - as modules.

Good!

> i was wondering: which gets run first, /sbin/init or modprobe
> capability from /etc/modules?

Well ... 'init',  sort of.   Read on.

> i think the question is fairly obviously /sbin/init but i want to be
> absolutely sure.

If "initrd" is not used,  then yes,  'init' runs first,
and I supposed that can foul-up SELinux.   Of course,  one could
replace 'init' with another program,  even a shell script,
which would properly load the security modules and policies
and then exec the real 'init'.

Most often,  for SuSE and RedHat anyway,
there's an "initrd" hack happening so that the distributor
needs to ship only one or two pre-compiled kernels and then load
modules in that mysterious early light just before dawn and
real root and real /sbin/init.   After working its magic,
the "initrd" initializer does a 'pivot_root'.

> in other words, is CONFIG_CAPABILITY=m stopping selinux from
> working in debian's 2.6.9 kernel?

I really REALLY hope not,
because having SELinux shipped as modules is a Good Thing.
Several reasons for this position,  I will not enumerate now.

-- R;


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Luke Kenneth Casson Leighton]

On Sun, Jan 02, 2005 at 12:07:51PM -0600, Richard Troth wrote:
> On Sun, 2 Jan 2005, Luke Kenneth Casson Leighton wrote:
> > debian's 2.6.9 kernel has selinux - and capabilities - as modules.
> 
> Good!
> 
> > i was wondering: which gets run first, /sbin/init or modprobe
> > capability from /etc/modules?
> 
> Well ... 'init',  sort of.   Read on.
> 
> > i think the question is fairly obviously /sbin/init but i want to be
> > absolutely sure.
> 
> If "initrd" is not used,  then yes,  'init' runs first,
> and I supposed that can foul-up SELinux.   Of course,  one could
> replace 'init' with another program,  even a shell script,
> which would properly load the security modules and policies
> and then exec the real 'init'.
> 
> Most often,  for SuSE and RedHat anyway,
> there's an "initrd" hack happening so that the distributor
> needs to ship only one or two pre-compiled kernels and then load
> modules in that mysterious early light just before dawn and
> real root and real /sbin/init.   After working its magic,
> the "initrd" initializer does a 'pivot_root'.

 oh.

 yes.

 i remember now - /etc/mkinitrd/modules.

 ah ha!  okay.  so if i add "capability" to that list (and
 selinuxfs?)  and rebuild the kernel, such that mkinitrd adds
 it, everything is hunky-dory again, yes?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Richard Troth]

With 'mkinitrd' you should not have to re-build the kernel.
You just re-make the initial RAMDISK with your desired
selection-o-modules and reboot.

-- R;


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Luke Kenneth Casson Leighton]

fortunately, debian kernel maintainers will be looking to do
CONFIG_CAPABILITY=yes apparently because of root plug exploit
possibility otherwise.

l.

On Sun, Jan 02, 2005 at 01:59:20PM -0600, Richard Troth wrote:
> With 'mkinitrd' you should not have to re-build the kernel.
> You just re-make the initial RAMDISK with your desired
> selection-o-modules and reboot.
> 
> -- R;
> 

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Russell Coker]

On Monday 03 January 2005 05:07, Richard Troth <rtroth@bmc.com> wrote:
> > i was wondering: which gets run first, /sbin/init or modprobe
> > capability from /etc/modules?
>
> Well ... 'init',  sort of.   Read on.
>
> > i think the question is fairly obviously /sbin/init but i want to be
> > absolutely sure.
>
> If "initrd" is not used,  then yes,  'init' runs first,
> and I supposed that can foul-up SELinux.   Of course,  one could
> replace 'init' with another program,  even a shell script,
> which would properly load the security modules and policies
> and then exec the real 'init'.

I initially experimented with a wrapper for /sbin/init to load the policy 
before the current method of loading policy was selected.

Having the wrapper named /sbin/init and having it call /sbin/init.real (or 
whatever) worked OK, but it wouldn't be good to continue having it like that 
as a shell script in case a shell upgrade broke the funky method of passing 
init state through a pipe.  The other option was to have a kernel parameter 
of init=/sbin/init.wrapper or similar but that seemed like a gross hack too 
and on some architectures passing a kernel command-line parameter is 
unreasonably painful.

Patching /sbin/init seemed the only viable option.

We could make an extra change to /sbin/init to make it call modprobe if 
absolutely necessary, it's not that difficult to do.

> Most often,  for SuSE and RedHat anyway,
> there's an "initrd" hack happening so that the distributor
> needs to ship only one or two pre-compiled kernels and then load
> modules in that mysterious early light just before dawn and
> real root and real /sbin/init.   After working its magic,
> the "initrd" initializer does a 'pivot_root'.

For Red Hat the solution is to just have capabilities linked into the kernel.  
For Debian we could have /sbin/init calling modprobe as it's first action 
after mounting /proc if necessary.

> > in other words, is CONFIG_CAPABILITY=m stopping selinux from
> > working in debian's 2.6.9 kernel?
>
> I really REALLY hope not,
> because having SELinux shipped as modules is a Good Thing.
> Several reasons for this position,  I will not enumerate now.

SE Linux has not worked correctly when compiled as a module since at least mid 
2001.  I don't believe that there are any plans to try and change this.  SE 
Linux must be linked into the kernel.  It makes sense to do the same with the 
capabilities module IMHO.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Richard Troth]

On Tue, 4 Jan 2005, Russell Coker wrote:
> SE Linux has not worked correctly when compiled as a module
> since at least mid 2001.

Okay,  that answers the question I was going to ask Stephen.
(I've never tried,  so I did not know that Debian's "=m" would fail.)

>        I don't believe that there are any plans to try and change this.

Why?

> SE Linux must be linked into the kernel.  It makes sense to do
> the same with the capabilities module IMHO.

Certainly.
It makes sense that they be consistent.

-- R;


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Stephen Smalley]

On Tue, 2005-01-04 at 10:11, Richard Troth wrote:
> On Tue, 4 Jan 2005, Russell Coker wrote:
> > SE Linux has not worked correctly when compiled as a module
> > since at least mid 2001.
> 
> Okay,  that answers the question I was going to ask Stephen.
> (I've never tried,  so I did not know that Debian's "=m" would fail.)

To be precise, the SELinux configuration option was changed from
'tristate' (i.e. y/n/m) to 'bool' (i.e. y/n) in Sep 2002.
That was part of an overhaul of SELinux based on feedback from certain
kernel developers, who told us that trying to support SELinux as a
loadable module made no sense and made it very difficult to analyze the
code.  This change allowed significant simplification of the SELinux
code.  So 'm' hasn't been an option for quite some time.

> >        I don't believe that there are any plans to try and change this.
> 
> Why?

Any security subsystem worth having is necessarily tightly coupled to
the core kernel, and needs to start performing at least basic setup very
early during kernel initialization (to track all kernel objects and
ensure that they are all properly labeled for access control).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Stephen Smalley]

On Sun, 2005-01-02 at 05:45, Luke Kenneth Casson Leighton wrote:
> hi,
> 
> debian's 2.6.9 kernel has selinux - and capabilities - as modules.

SELinux cannot be built as a module.  

> in other words, is CONFIG_CAPABILITY=m stopping selinux from
> working in debian's 2.6.9 kernel?

No, it shouldn't be an issue.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: modules needed to be compiled in for selinux to work

[Luke Kenneth Casson Leighton]

On Mon, Jan 03, 2005 at 09:02:34AM -0500, Stephen Smalley wrote:
> On Sun, 2005-01-02 at 05:45, Luke Kenneth Casson Leighton wrote:
> > hi,
> > 
> > debian's 2.6.9 kernel has selinux - and capabilities - as modules.
> 
> SELinux cannot be built as a module.  

 mwwh?  i hadn't noticed.  four months and i hadn't noticed.  duh.

> > in other words, is CONFIG_CAPABILITY=m stopping selinux from
> > working in debian's 2.6.9 kernel?
> 
> No, it shouldn't be an issue.
 
 ah, then it's a non-selinux issue because udev (0.040 >)doesn't
 work properly without capability loaded.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.