[POLICY/PATCH] IA-64 Boot Partition

[POLICY/PATCH] IA-64 Boot Partition

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 700 bytes --]

Hello,

This attached patch modifies genfs_contexts.
When arch_ia64 is defined in tunable/tunable.tun,
vfat is labeled as boot_t, not dosfs_t.

Currently, vfat-fs is recognized as dosfs_t.
But, vfat is often used as bootable partition
which should be labeled as boot_t.

In IA-64 Linux, any files related to booting process such as
vmlinuz and initrd.img are placed under /boot/efi/.
We must mount a vfat partition contains such files on /boot/efi,
because EFI can't recognize the contents of Ext2/3 partitions.
(EFI is a firmware similar to PC's BIOS.)
# The kernel provided by RedHat is placed in /boot/efi/efi/redhat.

Thanks,
--
DO NOTHING IS THE WORST POLICY.
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: policy-1.22_IA64_BootPartition.patch --]
[-- Type: text/plain, Size: 825 bytes --]

--- policy-1.22/genfs_contexts	2005-01-24 14:00:41.000000000 -0500
+++ policy-1.22-ia64/genfs_contexts	2005-04-16 15:55:51.000000000 -0400
@@ -77,7 +77,9 @@
 genfscon ramfs /			system_u:object_r:ramfs_t
 
 # vfat, msdos
-genfscon vfat /				system_u:object_r:dosfs_t
+ifdef(`arch_ia64',
+`genfscon vfat /				system_u:object_r:boot_t',
+`genfscon vfat /				system_u:object_r:dosfs_t')
 genfscon msdos /			system_u:object_r:dosfs_t
 genfscon fat /				system_u:object_r:dosfs_t
 genfscon ntfs /				system_u:object_r:dosfs_t
--- policy-1.22/tunables/tunable.tun	2004-12-10 14:57:36.000000000 -0500
+++ policy-1.22-ia64/tunables/tunable.tun	2005-04-16 15:55:16.000000000 -0400
@@ -29,3 +29,6 @@
 
 # for ndc_t to be used for restart shell scripts
 dnl define(`ndc_shell_script')
+
+# for IA-64 archtecture
+dnl define(`arch_ia64')

Re: [POLICY/PATCH] IA-64 Boot Partition

[Christopher J. PeBenito]

On Sat, 2005-04-16 at 15:57 +0900, KaiGai Kohei wrote:
> This attached patch modifies genfs_contexts.
> When arch_ia64 is defined in tunable/tunable.tun,
> vfat is labeled as boot_t, not dosfs_t.
> 
> Currently, vfat-fs is recognized as dosfs_t.
> But, vfat is often used as bootable partition
> which should be labeled as boot_t.
> 
> In IA-64 Linux, any files related to booting process such as
> vmlinuz and initrd.img are placed under /boot/efi/.
> We must mount a vfat partition contains such files on /boot/efi,
> because EFI can't recognize the contents of Ext2/3 partitions.
> (EFI is a firmware similar to PC's BIOS.)
> # The kernel provided by RedHat is placed in /boot/efi/efi/redhat.

It would seem like mounting /boot with the context= mount option is a
better solution.  Vfat being mounted at /boot is an exception to the
genfscon; there could be other vfat partitions you might want to mount,
and they should be dosfs_t.  So rather then making all vfat partitions
boot_t on ia64, you should just mount /boot with the context= option.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[KaiGai Kohei]

Hi, Christopher

Thanks for your solution.
Indeed, we can solve this problem with appending a line into /etc/fstab
or a command line option.

BTW, what archtectures are used and checked by SELinux's people ?
For example, kernel panic is occured on the 2.6.6 or former kernel for IA-64
when SELinux is enabled. This phenomenon have been overlooked.

I can validate the evidence on IA64/i386 environment.
Is there a person who can try to run SELinux on infrequent(not i386) plathome?

Thanks,

> It would seem like mounting /boot with the context= mount option is a
> better solution.  Vfat being mounted at /boot is an exception to the
> genfscon; there could be other vfat partitions you might want to mount,
> and they should be dosfs_t.  So rather then making all vfat partitions
> boot_t on ia64, you should just mount /boot with the context= option.
-- 
DO NOTHING IS THE WORST POLICY.
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[Christopher J. PeBenito]

On Sun, 2005-04-17 at 01:25 +0900, KaiGai Kohei wrote:
> BTW, what archtectures are used and checked by SELinux's people ?
> For example, kernel panic is occured on the 2.6.6 or former kernel for IA-64
> when SELinux is enabled. This phenomenon have been overlooked.
> 
> I can validate the evidence on IA64/i386 environment.
> Is there a person who can try to run SELinux on infrequent(not i386) plathome?

I have AMD64 and PPC running fine.  I know SPARC64 works too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[Stephen Smalley]

On Sun, 2005-04-17 at 01:25 +0900, KaiGai Kohei wrote:
> Thanks for your solution.
> Indeed, we can solve this problem with appending a line into /etc/fstab
> or a command line option.
> 
> BTW, what archtectures are used and checked by SELinux's people ?
> For example, kernel panic is occured on the 2.6.6 or former kernel for IA-64
> when SELinux is enabled. This phenomenon have been overlooked.
> 
> I can validate the evidence on IA64/i386 environment.
> Is there a person who can try to run SELinux on infrequent(not i386) plathome?

All of my machines are x86, so I'm afraid I can't be of much help there.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[KaiGai Kohei]

Hi,

>>BTW, what archtectures are used and checked by SELinux's people ?
>>For example, kernel panic is occured on the 2.6.6 or former kernel for IA-64
>>when SELinux is enabled. This phenomenon have been overlooked.
>>
>>I can validate the evidence on IA64/i386 environment.
>>Is there a person who can try to run SELinux on infrequent(not i386) plathome?
>
>
> All of my machines are x86, so I'm afraid I can't be of much help there.

In Japan, Secure-OS such as SELinux is hoped for embedded computing field,
because applying the latest security patch for those application is not
as easy as one for our desktop PC.
So, I wonder who did evaluate the behavior on ARM/MIPS archtecture.

# This is NOT NEC's bussiness requirement, my personal interresting. :-)

Thanks,
-- 
DO NOTHING IS THE WORST POLICY.
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[Stephen Smalley]

On Tue, 2005-04-19 at 01:54 +0900, KaiGai Kohei wrote:
> In Japan, Secure-OS such as SELinux is hoped for embedded computing field,
> because applying the latest security patch for those application is not
> as easy as one for our desktop PC.
> So, I wonder who did evaluate the behavior on ARM/MIPS archtecture.

Earlier versions of SELinux were ported to ARM and successfully run on
the iPAQ by two independent efforts, but that was all prior to the 2.6
SELinux.  At this point, the largest challenge to SELinux there is
likely the fact that the 2.6 SELinux depends on extended attributes for
file security contexts, and jffs2 doesn't support them natively.  There
has been discussion of supporting extended attributes in jffs3, I
believe.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [POLICY/PATCH] IA-64 Boot Partition

[Russell Coker]

On Tuesday 19 April 2005 02:54, KaiGai Kohei <kaigai@kaigai.gr.jp> wrote:
> In Japan, Secure-OS such as SELinux is hoped for embedded computing field,
> because applying the latest security patch for those application is not
> as easy as one for our desktop PC.
> So, I wonder who did evaluate the behavior on ARM/MIPS archtecture.

I was one of the people who got SE Linux to work on an iPaQ.  I own two iPaQ's 
and plan to get them going again as soon as JFFS2 supports XATTRs.

I have no immediate plans to get any more machines other than x86.  In 
Australia P3-800 class machines are really cheap, such machines provide all 
the computer power I generally need so I don't have any plans to purchase 
anything better.

I have access to some other platforms in the Red Hat test lab, but nothing I 
can actually have on my desk.

We really need to get some people seriously using SE Linux on non-x86 
platforms for their regular computer use to get everything tested out.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.