SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [RFC] Kernel .config options for building LTP SECURITY TESTS This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Tue, 04 Nov 2008 09:47:28 -0500 On Tue, 2008-11-04 at 17:16 +0530, Subrata Modak wrote: > Hi Serge & Stephen, > > Are there any more .config options required to be set/unset for > compiling 2.6.27 with all LSM enabled, apart from below: > > CONFIG_SECURITY=y > CONFIG_SECURITY_NETWORK=y > CONFIG_SECURITY_NETWORK_XFRM=y > CONFIG_SECURITY_FILE_CAPABILITIES=y These are fine. > CONFIG_SECURITY_ROOTPLUG=y Don't enable rootplug - it doesn't honor the security= option. See below. Plus it is just a toy example for an article that was published long ago. I don't really understand why it is in mainline. *> CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0* This has to be set to a positive value if you want to test this check. Fedora kernels set it to 65536. > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_BOOTPARAM=y *> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1* > CONFIG_SECURITY_SELINUX_DEVELOP=y > CONFIG_SECURITY_SELINUX_AVC_STATS=y *> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1* > CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y These are fine. > CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y You don't want this one unless you are running Fedora 3 or 4. On anything newer, it will cause unnecessary policy expansion. *> CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19* > CONFIG_SECURITY_SMACK=y > > I would like to run the filecaps and selinux tests in LTP and may be any > SMACK tests in future. Will it create a problem if kernel is built with > both below options set: > > CONFIG_SECURITY_SMACK=y > CONFIG_SECURITY_SELINUX=y By default, if you boot with multiple LSMs compiled into the kernel, the kernel won't boot succesfully - there can be only one (aside from explicit internal "stacking" e.g. as is done for combining SELinux or Smack with capabilities). Unless you use the security= option to select one at boot. SELinux and Smack will honor the security= option. > A great help would be in the form of a patch in updating: > http://ltp.cvs.sourceforge.net/viewvc/ltp/ltp/testcases/kernel/security/selinux-testsuite/README > > in terms of exact SELinux policy(s) and userspace tool(s) to be > installed (from where to get and where to put) to build and run the > SELinux testsuite, supposing that a new kernel is built and no SELinux > policies/uerspace tools existed there before. The existing ltp selinux testsuite presumes that you have an existing SELinux policy + userspace tools. I've only ever used it on Fedora and RHEL, and principally on the latest Fedora. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 4 Nov 2008 - 09:48:35 EST This message: [ Message body ] Next message: Stephen Smalley: "Re: [PATCH -v2 1/3] SECURITY: new capable_noaudit interface" Previous message: Subrata Modak: "[RFC] Kernel .config options for building LTP SECURITY TESTS" In reply to: Subrata Modak: "[RFC] Kernel .config options for building LTP SECURITY TESTS" Next in thread: Subrata Modak: "Re: [RFC] Kernel .config options for building LTP SECURITY TESTS" Reply: Subrata Modak: "Re: [RFC] Kernel .config options for building LTP SECURITY TESTS" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom