[ubuntu-hardened] SELinux support in upstart

[Stephen Carpenter, KSC]

On Sun, Mar 18, 2007 at 02:59:33PM +0000, Paul Sladen wrote:
> On Sun, 18 Mar 2007, Chad Sellers wrote:
> > On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > > On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
> > > For example, could the policy be loaded in the initramfs
> > if the initrd is going to load the policy then the initrd has to have
> > the policy. So, you have to rebuild the initrd repeatedly.
> 
> The filesystem containing /the policy/ has to be available.  What I would
> imagine is that the loader script is dropped into the initramfs so that
> execution of the loader occurs between '/' being located + mounted and
> *before* '/sbin/init' is executed.
> 
> In this case, you'd have "apt-get install selinux" install something like:
> 
>   /usr/share/initramfs-tools/scripts/init-bottom/selinux

Yup thats pretty much what I did on my boxes to make it work. I copied
rather liberaly from an RHEL system, as thats what I was familiar with.

Nice to support things like .autorelabel etc.

> and once this 'initramfs' is rebuilt, then the 'selinux' loader file will be
> executed on next boot.  As the root-filesystem is now available, the loader
> can find the policy files there ('/etc/security/*'?). This is still before
> 'init' ('upstart') has been handed control.

heh you mean second init? I believe from the kernel's perspective, init
started right after it loaded the initramfs :) or does control get
passed back? I thought the initramfs handled the whole mounting and
control passing.
 
> The actual policy files would continue to remain where they do
> currently.  The only time that the initramfs would be regenerated is when a
> new version of SELinux is released---and the regeneration being automatic on
> installation of the new package.

Um... um.... actually I think it makes sense to distribute a binary
policy package. Maybe support a policy package that builds from source
every time or something... but overall there should be a binary policy
package and a seprate source package that can be used to generate
custom binary policy packages.

The whole concept is that you would have source on one machine, and then
build binary policies to distribute elsewhere on it. 

> > Not everyone uses an initrd.
> 
> Everyone these days /does/ use initramfs :)  Some just use initramfs
> more than others!

Um I would think a person who decides to build a monolithic kernel (I
used to, have since decided I compiled enough kernels in my day, and
stopped)  could opt out from using it. 

Though, if someone decides to customize that much, its reasonable to
expect some things to not work without hand tweaking.
 
> I think though that SELinux is attempting to do things "before the system is
> started", in which case a far better place for SELinux to be doing its magic
> is the sort of "management mode" environment that initramfs provides.

Fromw hat I remember, most of this is prety easy. Yup you put it in th4e
initramfs etc. The scripts are fairly straightforward, and can easily be
lifted from another system where it works :)...

the hard part is comming upw ith a reasonably well worked out and tested 
targeted policy, as I really don't see strict as a viable policy yet,
not till there are alot more people familiar with SELinux and
signifigantly more out of the box type enforcement definitions with
their kinks worked out.

I grabbed the one RHEL was distributing... it works mostly good. However
it wasn't anything I dove into enough that I was really comfortable
with.

Though once a good solid targeted base is in place (last time I tried to
install this stuff straight up there was some quirkiness to the packages
and targeted was severely broken)

Admittedly I am shooting a bit from the hip here... I don;t have the
customizations I made on this box or anything.

-Steve

-- 
"We do everything by custom, even belive by it; our very axioms,
 let us boast of free-thinking as we may, are oftenest simply such
 beliefs as we have never questioned"
                -- Thomas Carlyle