* selinux cramfs @ 2002-06-21 4:48 Debian User 2002-06-21 11:00 ` Russell Coker 0 siblings, 1 reply; 9+ messages in thread From: Debian User @ 2002-06-21 4:48 UTC (permalink / raw) To: selinux how do we make selinux work on cramfs? -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 4:48 selinux cramfs Debian User @ 2002-06-21 11:00 ` Russell Coker 2002-06-21 11:49 ` Debian User 0 siblings, 1 reply; 9+ messages in thread From: Russell Coker @ 2002-06-21 11:00 UTC (permalink / raw) To: Debian User, selinux On Fri, 21 Jun 2002 06:48, Debian User wrote: > how do we make selinux work on cramfs? To have full support for a file system (as with Ext2, Ext3, and ReiserFS) you need to have persistant Inode numbers, and the Inode numbers need to be known by the kernel (or setfiles) some time after the files were created. This is not possible on cramfs. The solution for a cramfs initrd is to have CONFIG_SECURITY_SELINUX_DEVELOP=y in your kernel config and then use avc_toggle to enable enforcing mode in your init scripts. Then you get some avc errors at boot up from your cramfs but it's not a big deal. Another option is to use ext2 for an initrd. A final option is to compile your kernel such that an initrd is not needed, but that is not possible for a cryptoapi root file system... -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 11:00 ` Russell Coker @ 2002-06-21 11:49 ` Debian User 2002-06-21 12:25 ` Stephen Smalley 2002-06-21 12:28 ` Russell Coker 0 siblings, 2 replies; 9+ messages in thread From: Debian User @ 2002-06-21 11:49 UTC (permalink / raw) To: Russell Coker; +Cc: selinux Russell Coker wrote: >On Fri, 21 Jun 2002 06:48, Debian User wrote: > >>how do we make selinux work on cramfs? >> > >To have full support for a file system (as with Ext2, Ext3, and ReiserFS) you >need to have persistant Inode numbers, and the Inode numbers need to be known >by the kernel (or setfiles) some time after the files were created. > >This is not possible on cramfs. > Hmm this might explain why everything has the unlabeled context when I run my system. > > >The solution for a cramfs initrd is to have CONFIG_SECURITY_SELINUX_DEVELOP=y >in your kernel config and then use avc_toggle to enable enforcing mode in >your init scripts. Then you get some avc errors at boot up from your cramfs >but it's not a big deal. > >Another option is to use ext2 for an initrd. > >A final option is to compile your kernel such that an initrd is not needed, >but that is not possible for a cryptoapi root file system... > Im using cramfs for a read only root filesystem. How does selinux do the labeling then? Is it just an integer associated with inodes? Maybe I have to read the white papers all over again. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 11:49 ` Debian User @ 2002-06-21 12:25 ` Stephen Smalley 2002-06-21 12:45 ` Stephen Smalley 2002-06-21 12:28 ` Russell Coker 1 sibling, 1 reply; 9+ messages in thread From: Stephen Smalley @ 2002-06-21 12:25 UTC (permalink / raw) To: Debian User; +Cc: Russell Coker, selinux On Fri, 21 Jun 2002, Debian User wrote: > Im using cramfs for a read only root filesystem. > How does selinux do the labeling then? Is it just an integer associated > with inodes? Maybe I have to read the white papers all over again. The SELinux module only tries to assign labels to filesystem types that are known to be supported. We've made the labeling behavior more configurable and general since the last release, but that won't help with your particular problem. SELinux uses one of four approaches to label inodes in the filesystem, based on the filesystem type, plus some specialized logic for /proc/PID and /proc/sys. Any unrecognized filesystem types are left with the unlabeled SID and its corresponding context. The four approaches are: 1) Use a persistent label mapping. This is appropriate for filesystems that have unique and persistent inode numbers. A two-level mapping is maintained in each filesystem between inode numbers and integer PSIDs and between PSIDs and security contexts. The mapping is typically initialized via setfiles, although the kernel will try to automatically initialize the mapping to a minimal state if a filesystem is mounted that lacks any mapping. SELinux uses this approach for ext2, ext3, and reiserfs, and it should also work for alternate filesystems like XFS. If extended attributes become widely available in filesystems, then SELinux will likely be retargeted to take advantage of them for this purpose. 2) Use the allocating task SID. This is appropriate for the pipefs and sockfs pseudo filesystems, where we want the pipes and sockets to be labeled with the SID of the allocating task (the kind of object in this case is implicit from the security class). 3) Use a transition SID computed from the allocating task SID and the filesystem SID. This is appropriate for the devpts and tmpfs pseudo filesystems, where we want the inodes to be labeled with a SID that expresses information about both the allocating task and the kind of object being represented (i.e. is it a pty, a shared memory object, etc?). 4) Use a context obtained from a configuration based on filesystem type, pathname prefix matching and file type. This is appropriate for pseudo filesystems like proc (outside of /proc/PID and /proc/sys), devfs, usbdevfs, and driverfs. In the current release, this is only done for devfs, with hardcoded logic for proc and usbdevfs, but we have subsequently generalized the mechanism so that it can be applied to other filesystem types. Specialized logic in the module ensures that the /proc/PID entries are labeled with the SID of the associated task and that the /proc/sys entries are labeled with the SID of the corresponding sysctl variable. You might be able to handle cramfs to some degree using the new genfs_contexts configuration, which is a generalization of devfs_contexts. That isn't in the current release, but will be in the next one. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 12:25 ` Stephen Smalley @ 2002-06-21 12:45 ` Stephen Smalley 2002-06-21 12:51 ` Debian User 2002-06-21 12:54 ` Russell Coker 0 siblings, 2 replies; 9+ messages in thread From: Stephen Smalley @ 2002-06-21 12:45 UTC (permalink / raw) To: Debian User; +Cc: Russell Coker, selinux On Fri, 21 Jun 2002, Stephen Smalley wrote: > You might be able to handle cramfs to some degree using the new > genfs_contexts configuration, which is a generalization of devfs_contexts. > That isn't in the current release, but will be in the next one. I just tried using genfs_contexts to specify a context for cramfs and then mounting a cramfs image, and it appears to work correctly. So this will hopefully be addressed by the next public release. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 12:45 ` Stephen Smalley @ 2002-06-21 12:51 ` Debian User 2002-06-21 12:54 ` Russell Coker 1 sibling, 0 replies; 9+ messages in thread From: Debian User @ 2002-06-21 12:51 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux Great! I was planning to hack away already. Stephen Smalley wrote: >On Fri, 21 Jun 2002, Stephen Smalley wrote: > >>You might be able to handle cramfs to some degree using the new >>genfs_contexts configuration, which is a generalization of devfs_contexts. >>That isn't in the current release, but will be in the next one. >> > >I just tried using genfs_contexts to specify a context for cramfs and >then mounting a cramfs image, and it appears to work correctly. So this >will hopefully be addressed by the next public release. > >-- >Stephen D. Smalley, NAI Labs >ssmalley@nai.com > > -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 12:45 ` Stephen Smalley 2002-06-21 12:51 ` Debian User @ 2002-06-21 12:54 ` Russell Coker 2002-06-21 13:08 ` Debian User 1 sibling, 1 reply; 9+ messages in thread From: Russell Coker @ 2002-06-21 12:54 UTC (permalink / raw) To: Stephen Smalley, Debian User; +Cc: selinux On Fri, 21 Jun 2002 14:45, Stephen Smalley wrote: > On Fri, 21 Jun 2002, Stephen Smalley wrote: > > You might be able to handle cramfs to some degree using the new > > genfs_contexts configuration, which is a generalization of > > devfs_contexts. That isn't in the current release, but will be in the > > next one. > > I just tried using genfs_contexts to specify a context for cramfs and > then mounting a cramfs image, and it appears to work correctly. So this > will hopefully be addressed by the next public release. Excellent! Howard, when is the next release scheduled? Stephen, I'm just about to test those patches you sent me. Russell Coker -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 12:54 ` Russell Coker @ 2002-06-21 13:08 ` Debian User 0 siblings, 0 replies; 9+ messages in thread From: Debian User @ 2002-06-21 13:08 UTC (permalink / raw) To: Russell Coker; +Cc: selinux Russell Coker wrote: >On Fri, 21 Jun 2002 14:45, Stephen Smalley wrote: > >>On Fri, 21 Jun 2002, Stephen Smalley wrote: >> >>>You might be able to handle cramfs to some degree using the new >>>genfs_contexts configuration, which is a generalization of >>>devfs_contexts. That isn't in the current release, but will be in the >>>next one. >>> >>I just tried using genfs_contexts to specify a context for cramfs and >>then mounting a cramfs image, and it appears to work correctly. So this >>will hopefully be addressed by the next public release. >> > >Excellent! > >Howard, when is the next release scheduled? > > >Stephen, I'm just about to test those patches you sent me. > > > >Russell Coker > Cool! My system is waiting. Lots of possibilities here. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: selinux cramfs 2002-06-21 11:49 ` Debian User 2002-06-21 12:25 ` Stephen Smalley @ 2002-06-21 12:28 ` Russell Coker 1 sibling, 0 replies; 9+ messages in thread From: Russell Coker @ 2002-06-21 12:28 UTC (permalink / raw) To: Debian User; +Cc: selinux On Fri, 21 Jun 2002 13:49, Debian User wrote: > >A final option is to compile your kernel such that an initrd is not > > needed, but that is not possible for a cryptoapi root file system... > > Im using cramfs for a read only root filesystem. > How does selinux do the labeling then? Is it just an integer associated > with inodes? Maybe I have to read the white papers all over again. It basically ends up as an integer associated with each Inode. SE Linux in it's current form can't work with a root file system such as cramfs or NFS. You can use ext2 in a ram disk mounted read-only for a read-only root file system. Or you could use Ext2 with compression patches and a read-only block device to get the same results as you seem to be aiming for (compression and impossibility of writing). Of course if unix permissions and SE permissions both fail and someone gets access to /dev/kmem then nothing will save you... -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2002-06-21 13:09 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-06-21 4:48 selinux cramfs Debian User 2002-06-21 11:00 ` Russell Coker 2002-06-21 11:49 ` Debian User 2002-06-21 12:25 ` Stephen Smalley 2002-06-21 12:45 ` Stephen Smalley 2002-06-21 12:51 ` Debian User 2002-06-21 12:54 ` Russell Coker 2002-06-21 13:08 ` Debian User 2002-06-21 12:28 ` Russell Coker
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.