SELinux and non-ext[23] file systems

SELinux and non-ext[23] file systems

[Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy Office]

First the good news. Last week I gave a presentation about secure operating 
systems, running the slides on Staroffice 6.0 beta on SELinux 20011016. It ran 
smoothly like a humming bee. Great! It shows that this stuff is usable on a 
laptop.

This said, I would like to re-raise the importance of non-ext2 file system 
support, notably ReiserFS. It has been pointed out before, by Stephen Smalley, 
that this should in principle be easy to integrate (the per-node sec context 
needs to be stored in a file rather than in an unused field of the on-disk inode 
structure). However, I am not aware of anyone tackling this implementation.

Now, if someone could give me a few hints of where the additional code goes, I 
would like to volunteer some of my spare brain cycles to tackle this problem.
ReiserFS support on SELinux would certainly not only make my day.

Regards

Harald

**********************************************************
 Dr. Harald von Fellenberg  
 Chief Technologist        Global Sales Organisation
 Tel:    +41 1 908 9230    Sun Microsystems (Schweiz) AG
 Fax:    +41 1 908 9001    Javastr. 2 
 Mobile: +41 79 349 0393   CH-8604 Volketswil
 mailto:harald.von-fellenberg@sun.com
**********************************************************


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and non-ext[23] file systems

[Stephen Smalley]

On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy Office wrote:

> This said, I would like to re-raise the importance of non-ext2 file system
> support, notably ReiserFS. It has been pointed out before, by Stephen Smalley,
> that this should in principle be easy to integrate (the per-node sec context
> needs to be stored in a file rather than in an unused field of the on-disk inode
> structure). However, I am not aware of anyone tackling this implementation.

Only the original SELinux prototype was limited to the ext2 filesystem,
due to the use of a spare field in the on-disk ext2 inode to store the
persistent security identifier (PSID).  When we transitioned to LSM, we
extended the persistent label mapping to maintain the inode-to-PSID
mapping as a regular file because LSM does not provide filesystem-specific
hooks.  Hence, the LSM-based SELinux prototype should be able to use
ReiserFS, although we haven't tried it.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and non-ext[23] file systems

[Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy Office]

IT WORKS ON REISERFS!!!

Why did you not tell me before ... :-)
I will now invest my brain cycles on making the utils compile under Suse 7.x

Thanks and regards

Harald
PS here my patch :-)

--- setfiles/Makefile.orig      Wed Jul 18 22:38:11 2001
+++ setfiles/Makefile   Mon Nov 19 16:19:18 2001
@@ -9,6 +9,7 @@
 
 relabel:  $(FILECONTEXTS) setfiles
        ./setfiles $(FILECONTEXTS) `mount | awk '/ext2/{print $$3}'`
+       ./setfiles $(FILECONTEXTS) `mount | awk '/reiserfs/{print $$3}'`
        touch relabel
 
 install:  relabel

>
>On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich - 
Technology Strategy Office wrote:
>
>> This said, I would like to re-raise the importance of non-ext2 file system
>> support, notably ReiserFS. It has been pointed out before, by Stephen 
Smalley,
>> that this should in principle be easy to integrate (the per-node sec context
>> needs to be stored in a file rather than in an unused field of the on-disk 
inode
>> structure). However, I am not aware of anyone tackling this implementation.
>
>Only the original SELinux prototype was limited to the ext2 filesystem,
>due to the use of a spare field in the on-disk ext2 inode to store the
>persistent security identifier (PSID).  When we transitioned to LSM, we
>extended the persistent label mapping to maintain the inode-to-PSID
>mapping as a regular file because LSM does not provide filesystem-specific
>hooks.  Hence, the LSM-based SELinux prototype should be able to use
>ReiserFS, although we haven't tried it.
>
>--
>Stephen D. Smalley, NAI Labs
>ssmalley@nai.com
>
>
>
>
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.

**********************************************************
 Dr. Harald von Fellenberg  
 Chief Technologist        Global Sales Organisation
 Tel:    +41 1 908 9230    Sun Microsystems (Schweiz) AG
 Fax:    +41 1 908 9001    Javastr. 2 
 Mobile: +41 79 349 0393   CH-8604 Volketswil
 mailto:harald.von-fellenberg@sun.com
**********************************************************


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and non-ext[23] file systems

[Stephen Smalley]

On Mon, 19 Nov 2001, Harald von Fellenberg wrote:

> IT WORKS ON REISERFS!!!

Good, glad to hear it.

> I will now invest my brain cycles on making the utils compile under Suse 7.x

James Bishop has worked on porting the modified utilities to SuSE 7.2, so
you should refer to his prior postings in the mailing list archives at
http://marc.theaimsgroup.com/?l=selinux.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux and non-ext[23] file systems

[Hans Reiser]

Harald von Fellenberg - Sun Switzerland Zurich - Technology Strategy 
Office wrote:

>IT WORKS ON REISERFS!!!
>
>Why did you not tell me before ... :-)
>I will now invest my brain cycles on making the utils compile under Suse 7.x
>
>Thanks and regards
>
>Harald
>PS here my patch :-)
>
>--- setfiles/Makefile.orig      Wed Jul 18 22:38:11 2001
>+++ setfiles/Makefile   Mon Nov 19 16:19:18 2001
>@@ -9,6 +9,7 @@
> 
> relabel:  $(FILECONTEXTS) setfiles
>        ./setfiles $(FILECONTEXTS) `mount | awk '/ext2/{print $$3}'`
>+       ./setfiles $(FILECONTEXTS) `mount | awk '/reiserfs/{print $$3}'`
>        touch relabel
> 
> install:  relabel
>
>>On Mon, 19 Nov 2001, Harald von Fellenberg - Sun Switzerland Zurich - 
>>
>Technology Strategy Office wrote:
>
>>>This said, I would like to re-raise the importance of non-ext2 file system
>>>support, notably ReiserFS. It has been pointed out before, by Stephen 
>>>
>Smalley,
>
>>>that this should in principle be easy to integrate (the per-node sec context
>>>needs to be stored in a file rather than in an unused field of the on-disk 
>>>
>inode
>
>>>structure). However, I am not aware of anyone tackling this implementation.
>>>
>>Only the original SELinux prototype was limited to the ext2 filesystem,
>>due to the use of a spare field in the on-disk ext2 inode to store the
>>persistent security identifier (PSID).  When we transitioned to LSM, we
>>extended the persistent label mapping to maintain the inode-to-PSID
>>mapping as a regular file because LSM does not provide filesystem-specific
>>hooks.  Hence, the LSM-based SELinux prototype should be able to use
>>ReiserFS, although we haven't tried it.
>>
>>--
>>Stephen D. Smalley, NAI Labs
>>ssmalley@nai.com
>>
>>
>>
>>
>>
>>--
>>You have received this message because you are subscribed to the selinux list.
>>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>the words "unsubscribe selinux" without quotes as the message.
>>
>
>**********************************************************
> Dr. Harald von Fellenberg  
> Chief Technologist        Global Sales Organisation
> Tel:    +41 1 908 9230    Sun Microsystems (Schweiz) AG
> Fax:    +41 1 908 9001    Javastr. 2 
> Mobile: +41 79 349 0393   CH-8604 Volketswil
> mailto:harald.von-fellenberg@sun.com
>**********************************************************
>
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>
Please let me know if you need anything from the reiserfs team to assist 
you in integrating SE Linux and reiserfs.  Also, if you are interested 
in producing anything that might go into our faq, or as a patch on our 
download page, let me know.

If anyone involved in SE Linux is interested in working with us, let me 
encourage you to view www.namesys.com/v4/v4.html, and feel free to ask 
us to add new features that make your work easier.

Hans



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

selinux, openssh, ipv6

[jeff burson]

Hello,

I've recently installed selinux on my rh7.1 system using the
full lsm-selinux-200110161355 tarball (opt.1). I'm playing
around with it, learning the system, exploring, etc.

First, my congratulations and gratitude to those who have
put this together: a VERY impressive system (and one of the
best documented installs of an open-source OS security system
I've run across).

A problem I've run into is regarding IPv6. At lsm kernel compile
time, I compiled for IPv6 support and having it successfully
running. The interface is listening on an assigned IPv6
address and is pingable from another IPv6 device. However,
the selinux install of OpenSSH does not appear to be listening
on the IPv6 address (it is listening on the IPv4 address).

I have not run into this problem with manual builds (or rpms)
of regular openssh recently, so am trying to figure out what's
wrong.

here's the relevant output from configure:

struct sockaddr_in6... (cached) yes
checking for struct in6_addr... (cached) yes
checking for ut_addr_v6 field in utmp.h... (cached) yes
checking for ut_addr_v6 field in utmpx.h... (cached) yes
checking if we need to convert IPv4 in IPv6-mapped addresses... yes
(default)
      Use IPv4 by default hack: no
       Translate v4 in v6 hack: yes


Any ideas or suggestions?

jeff





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux, openssh, ipv6

[Stephen Smalley]

On Fri, 23 Nov 2001, jeff burson wrote:

> A problem I've run into is regarding IPv6. At lsm kernel compile
> time, I compiled for IPv6 support and having it successfully
> running. The interface is listening on an assigned IPv6
> address and is pingable from another IPv6 device. However,
> the selinux install of OpenSSH does not appear to be listening
> on the IPv6 address (it is listening on the IPv4 address).
>
> I have not run into this problem with manual builds (or rpms)
> of regular openssh recently, so am trying to figure out what's
> wrong.

The SELinux modifications to sshd shouldn't affect the use of IPv6.  Does
the pure openssh-2.9p2 SRPM for RH7.1 work for you?  Did you get any log
messages in /var/log/messages when sshd started?

As a side note, LSM doesn't yet provide any hooks in the IPv6 code, just
in the IPv4 code, so some of the SELinux network access controls won't be
enforced if you are using IPv6.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com







--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.