selinux without sysvinit

selinux without sysvinit

[Alejandro Mery]

Hi, i am a complete newbie about selinux but i would like to use it on 
my machines.

the 'problem' is i don't use sysvinit. i use runit 
http://smarden.org/runit/ instead.

runit has only 3 stages, and runs an script on each one.
stage 1: configures the machine
stage 2: run services and keep them supervised (like daemontools)
stage 3: stop services, umount and halt

on download page you said sysvinit patch can be replaced by initrd, how? 
how safe is it? may i need to patch runit in the same way?

Thanks in advance,
Alejandro Mery

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux without sysvinit

[Stephen Smalley]

On Wed, 2004-11-03 at 09:21, Alejandro Mery wrote:
> Hi, i am a complete newbie about selinux but i would like to use it on 
> my machines.
> 
> the 'problem' is i don't use sysvinit. i use runit 
> http://smarden.org/runit/ instead.
> 
> runit has only 3 stages, and runs an script on each one.
> stage 1: configures the machine
> stage 2: run services and keep them supervised (like daemontools)
> stage 3: stop services, umount and halt
> 
> on download page you said sysvinit patch can be replaced by initrd, how? 
> how safe is it? may i need to patch runit in the same way?

You either need to load a policy prior to running your runit program
(e.g. via an initrd, which is what we originally did), or modify your
runit program to load a policy and re-exec itself into the correct
security domain (as is done by the sysvinit patch).  Entirely up to you;
cost of doing it from the initrd is that you have to rebuild the initrd
if you need to change anything in that bootstrapping policy (you can
always load a more complete policy later).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux without sysvinit

[Alejandro Mery]

> You either need to load a policy prior to running your runit program
> (e.g. via an initrd, which is what we originally did), or modify your
> runit program to load a policy and re-exec itself into the correct
> security domain (as is done by the sysvinit patch).

what do you think about an selinux init to load policy and replace 
itself with /sbin/init (any) after that?

Regards,
Alejandro Mery

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux without sysvinit

[Stephen Smalley]

On Wed, 2004-11-03 at 19:54, Alejandro Mery wrote:
> > You either need to load a policy prior to running your runit program
> > (e.g. via an initrd, which is what we originally did), or modify your
> > runit program to load a policy and re-exec itself into the correct
> > security domain (as is done by the sysvinit patch).
> 
> what do you think about an selinux init to load policy and replace 
> itself with /sbin/init (any) after that?

Yes, that should work as well, and I think some people have actually
used that approach in the past.  But if you decide to move aside
/sbin/init and replace it with a small program that loads policy and
then runs the real init program, be careful that telinit is then
redirected to the real init program.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux without sysvinit

[Alejandro Mery]

> Yes, that should work as well, and I think some people have actually
> used that approach in the past.  But if you decide to move aside
> /sbin/init and replace it with a small program that loads policy and
> then runs the real init program, be careful that telinit is then
> redirected to the real init program.

i was thinking in a /sbin/seinit with proper init= on loader, hardcoded 
to execve /sbin/init and /bin/sh after that.

may this affect telinit?

Alejandro

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux without sysvinit

[Stephen Smalley]

Re: selinux without sysvinit

[Russell Coker]

On Saturday 06 November 2004 01:58, Alejandro Mery <amery@geeks.cl> wrote:
> > Yes, that should work as well, and I think some people have actually
> > used that approach in the past.  But if you decide to move aside
> > /sbin/init and replace it with a small program that loads policy and
> > then runs the real init program, be careful that telinit is then
> > redirected to the real init program.
>
> i was thinking in a /sbin/seinit with proper init= on loader, hardcoded
> to execve /sbin/init and /bin/sh after that.

I've done that, it works.  It's a minor PITA though, you need to have your 
boot loader pass init=/sbin/seinit though.  If your boot loader is something 
like the boot loader in a Cobalt machine it's even more painful as BIOS 
upgrades etc can lose the boot loader config.

Best to just patch /sbin/init, I only patched init after trying all the other 
options and finding them to be worse.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.