Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: [Announce][Patch] Enhanced MLS support Date: Tue, 2 Mar 2004 14:44:18 -0500
Attached are patches to enable the detection of MLS on a SELinux system. This consists of an mls object inside of selinuxfs (/selinux/mls), a library call for libselinux (is_selinux_mls_enabled()), and application patches for pam and init. The init patch enables loading of MLS or non-MLS policy depending on kernel configuration. The pam patch will ask for the MLS level if a default context is not found. -Chad Chad Hanson mailto:chanson@tcs-sec.com Trusted Computer Solutions Phone: 217-384-0028 x12 121 W Goose Alley Fax: 217-384-0288 Urbana IL 61801
<<linux-2.6.3_mls.patch>> <<libselinux.patch>>
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_epoch.ncsc.mil> subject: Re: [Announce][Patch] Enhanced MLS support Date: Tue, 02 Mar 2004 15:34:18 -0500
Thanks for working on this. With regard to the libselinux function, note that the other libselinux functions have been converted to obtain the selinuxfs mount point from selinux_mnt (determined at runtime by libselinux/src/init.c:init_selinuxmnt()) rather than compiling in a fixed location. That allows the selinuxfs mount point to be easily changed without affecting any package other than SysVinit. There has been prior discussion of moving the selinuxfs mount point from /selinux to a better location, so we want to prepare for such a transition. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Chad Hanson <chanson_at_tcs-sec.com> subject: RE: [Announce][Patch] Enhanced MLS support Date: Tue, 2 Mar 2004 16:33:22 -0500
I have attached a new version of the library function utilizing selinuxmnt.
-----Original Message-----
On Tue, 2004-03-02 at 14:44, Chad Hanson wrote:
Thanks for working on this. With regard to the libselinux function, note that the other libselinux functions have been converted to obtain the selinuxfs mount point from selinux_mnt (determined at runtime by libselinux/src/init.c:init_selinuxmnt()) rather than compiling in a fixed location. That allows the selinuxfs mount point to be easily changed without affecting any package other than SysVinit. There has been prior discussion of moving the selinuxfs mount point from /selinux to a better location, so we want to prepare for such a transition. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security AgencyFrom: Stephen Smalley <sds_at_epoch.ncsc.mil> subject: RE: [Announce][Patch] Enhanced MLS support Date: Wed, 03 Mar 2004 14:10:36 -0500
Requires the additional diff below in order to compile. Applied. diff -X /home/sds/exclude -ru selinux-usr/libselinux/src/enabled.c selinux-usr-cvs/libselinux/src/enabled.c --- selinux-usr/libselinux/src/enabled.c 2003-12-12 11:27:20.000000000 -0500 +++ selinux-usr-cvs/libselinux/src/enabled.c 2004-03-03 14:00:31.000000000 -0500@@ -4,7 +4,10 @@ #include <selinux/selinux.h> #include <stdlib.h> #include <errno.h> +#include <limits.h> #include <asm/page.h> +#include <stdio.h> +#include "policy.h"
int is_selinux_enabled(void)
-- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: James Morris <jmorris_at_redhat.com> subject: Re: [Announce][Patch] Enhanced MLS support Date: Wed, 3 Mar 2004 08:35:39 -0500 (EST)
> This patch does not apply to 2.6.3.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_epoch.ncsc.mil> subject: Re: [Announce][Patch] Enhanced MLS support Date: Wed, 03 Mar 2004 08:44:42 -0500
His patch is relative to 2.6.3-selinux1 (from nsa.gov), which includes the conditional policy extension changes. Waiting on 2.6.4 to send those upstream. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Chad Hanson <chanson_at_tcs-sec.com> subject: RE: [Announce][Patch] Enhanced MLS support Date: Wed, 3 Mar 2004 09:00:23 -0500
This just worked perfectly fine for me against the SourceForge NSA 2.6.3 kernel. -Chad
-----Original Message-----
On Tue, 2 Mar 2004, Chad Hanson wrote:
> This patch does not apply to 2.6.3.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_epoch.ncsc.mil> subject: Re: [Announce][Patch] Enhanced MLS support Date: Wed, 03 Mar 2004 10:31:36 -0500
The init and pam patches will need to go to Dan (cc'd above) for inclusion after we have released a libselinux that includes is_selinux_mls_enabled(). This can happen independently of the kernel support getting into the Fedora kernel, as is_selinux_mls_enabled() will return 0 if /selinux/mls doesn't exist at all. With regard to the init patch, it would likely be cleaner to bracket the snprintf with your test of is_selinux_mls_enabled() and print the entire version string (including -mls suffix if appropriate) once to the policy_file buffer; the separate strncat could theoretically overflow the buffer and is wasteful anyway (having to walk the string again). -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Chad Hanson <chanson_at_tcs-sec.com> subject: RE: [Announce][Patch] Enhanced MLS support Date: Wed, 3 Mar 2004 15:24:35 -0500
Here is a version of the init patch with Steve's suggested fixes.
-----Original Message-----
On Tue, 2004-03-02 at 14:44, Chad Hanson wrote:
The init and pam patches will need to go to Dan (cc'd above) for inclusion after we have released a libselinux that includes is_selinux_mls_enabled(). This can happen independently of the kernel support getting into the Fedora kernel, as is_selinux_mls_enabled() will return 0 if /selinux/mls doesn't exist at all. With regard to the init patch, it would likely be cleaner to bracket the snprintf with your test of is_selinux_mls_enabled() and print the entire version string (including -mls suffix if appropriate) once to the policy_file buffer; the separate strncat could theoretically overflow the buffer and is wasteful anyway (having to walk the string again). -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |