SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Updated Release This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: James Carter <jwcart2_at_epoch.ncsc.mil> Date: 16 Mar 2004 08:16:02 -0500 On Fri, 2004-03-12 at 13:34, Howard Holm wrote: > The SELinux web site <http://www.nsa.gov/selinux/> including the mail > list archive has been updated. OpenPGP signatures are now available for > released code. The site includes a new release of the SELinux prototype. > Experimental SELinux NFS code has been made available. The base kernel The experimental SELinux NFS patch consists of both a kernel patch and userland patches. The userland patches include a patch to mount adding a selinuxnfs filesystem type, a xattr mount option, and a selinux mount option. There is also has a patch to exportfs to add a selinux export option. See the README in the nfs-usr archive for instructions. The SELinux NFS patch modifies NFS v3 and the SELinux module. Some of the modifications: 1. The client can get and set extended attributes on the server. (Not limited to just security.selinux attributes.) 2. The client labels the security contexts of the selinuxnfs inodes with the security context received from the server. 3. The client sends the security context of the process to the server. 4. The server uses the security context of the process on the client to make security decisions. 5. More permission checking on the client and the server. (Ex. Not bypassing access calls to server if it is not an open or access.) There are still the following limitations: 1. The client and server need to have essentially the same policy. 2. The client does not revalidate the security contexts for the NFS inodes. If the security context on the server is changed or from another client, it will not be reflected on the client. If the change is made on the client, then the client and server will have the correct context. I am currently working on a fix for this. 3. The fs create context is not currently passed to the server, so it depends on the client to set the context after the fact, widening the window where the file exists in the default type. I am also currently working on a fix for this. 4. Due to caching by the client, there is a strong dependence on the client to enforce the policy; the server can only directly mediate the initial request for data before it is cached and is also limited by the protocol. Note that this patch does not address the RPC socket creation issue encountered by Stephen Tweedie of Red Hat; addressing that also requires a separate patch for sock_create. -- James Carter <jwcart2@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 16 Mar 2004 - 08:16:10 EST This message: [ Message body ] Next message: Howard Holm: "SELinux web site" Previous message: Russell Coker: "Re: macros/vi" In reply to: Howard Holm: "Updated Release" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom