[ANN] SELinux kernel project page

[ANN] SELinux kernel project page

[James Morris]

FYI,

If you're involved in any kind of SELinux kernel development, you may be 
interested in the recently created wiki page:

http://selinuxproject.org/page/Kernel_Development

This is where we'll be keeping track of todo items and various kernel 
related issues.

Please feel free to edit the page yourself (wiki accounts may be obtained 
by emailing Karl MacMillan <kmacmill@redhat.com>).

At some point, we may migrate this to a Trac system, although that may be 
something to consider more widely for the SELinux project in general.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux kernel project page

[Serge E. Hallyn]

Quoting James Morris (jmorris@namei.org):
> FYI,
> 
> If you're involved in any kind of SELinux kernel development, you may be 
> interested in the recently created wiki page:
> 
> http://selinuxproject.org/page/Kernel_Development

one item is

    * Support for kernel namespaces 

Did anyone have some idea of what we might want to add?  My thought was
that the policy server work would pretty much cover the desired extensions -
so I create a type called 'vserver1', and give vserver1.admin the rights
to create subtypes of vserver1 and administer it's policy, subject to
vserver1's rights.

Maybe someone wanted to add object types for each namespace type, with
'unshare', 'view', and perhaps (though unlikely) 'enter' permissions?

Finally checkpointing seems safely covered by ptrace, and kill by, well,
kill...

-serge

> This is where we'll be keeping track of todo items and various kernel 
> related issues.
> 
> Please feel free to edit the page yourself (wiki accounts may be obtained 
> by emailing Karl MacMillan <kmacmill@redhat.com>).
> 
> At some point, we may migrate this to a Trac system, although that may be 
> something to consider more widely for the SELinux project in general.
> 
> 
> - James
> -- 
> James Morris
> <jmorris@namei.org>
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ANN] SELinux kernel project page

[Karl MacMillan]

On Fri, 2007-05-11 at 18:14 -0400, James Morris wrote:
> FYI,
> 
> If you're involved in any kind of SELinux kernel development, you may be 
> interested in the recently created wiki page:
> 
> http://selinuxproject.org/page/Kernel_Development
> 
> This is where we'll be keeping track of todo items and various kernel 
> related issues.
> 

Eventually we would like to move all of the current selinux project web
pages to this wiki (the selinux.sf.net pages). Unfortunately no one has
had time to work on this recently - if you would like to help please let
me know (on list or privately).

> Please feel free to edit the page yourself (wiki accounts may be obtained 
> by emailing Karl MacMillan <kmacmill@redhat.com>).
> 

Not just me - any of the selinux maintainers: Josh Brindle, Darrell
Goedel, Steve Smalley, or James Morris.

> At some point, we may migrate this to a Trac system, although that may be 
> something to consider more widely for the SELinux project in general.
> 

It's not clear to me that Trac would be more useful than the current
svn, bug tracker, and wiki, but I could be wrong.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

non-standard filesystem support in SELinux

[Keith Holder]

A quick question on loadable policy modules.

Are there any plans to allow 3rd party filesystem support,
without having to edit/recompile the base policy module?

	keith

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: non-standard filesystem support in SELinux

[Joshua Brindle]

Keith Holder wrote:
>
> A quick question on loadable policy modules.
>
> Are there any plans to allow 3rd party filesystem support,
> without having to edit/recompile the base policy module?
>
>     keith

I don't think we've ever thought about it, it seems like something that 
is very uncommon. I suppose its something we could do when we rewrite 
the compiler to use the new representation but it won't be high on the 
list of priorities. To be clear, what kind of support are you looking 
for? fs_use_* support or genfs support?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: non-standard filesystem support in SELinux

[Keith Holder]

Joshua Brindle wrote:
> Keith Holder wrote:
>>
>> A quick question on loadable policy modules.
>>
>> Are there any plans to allow 3rd party filesystem support,
>> without having to edit/recompile the base policy module?
>>
>>     keith
> 
> I don't think we've ever thought about it, it seems like something that 
> is very uncommon. I suppose its something we could do when we rewrite 
> the compiler to use the new representation but it won't be high on the 
> list of priorities. To be clear, what kind of support are you looking 
> for? fs_use_* support or genfs support?

Mostly fs_use_* so that the filesystem, mount points and
underlying files don't end up with the unlabeled_t type as
the default.


	keith

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: non-standard filesystem support in SELinux

[Joshua Brindle]

Keith Holder wrote:
> Joshua Brindle wrote:
>> Keith Holder wrote:
>>>
>>> A quick question on loadable policy modules.
>>>
>>> Are there any plans to allow 3rd party filesystem support,
>>> without having to edit/recompile the base policy module?
>>>
>>>     keith
>>
>> I don't think we've ever thought about it, it seems like something 
>> that is very uncommon. I suppose its something we could do when we 
>> rewrite the compiler to use the new representation but it won't be 
>> high on the list of priorities. To be clear, what kind of support are 
>> you looking for? fs_use_* support or genfs support?
>
> Mostly fs_use_* so that the filesystem, mount points and
> underlying files don't end up with the unlabeled_t type as
> the default.
>
Is there a reason you can't use the context mount option to label the 
mountpoint and its underlying files?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.