[ubuntu-hardened] SELinux support in upstart
chad at thesellers.net
Sun Mar 18 22:26:46 GMT 2007
On Mar 18, 2007, at 12:54 PM, Stephen Carpenter, KSC wrote:
> On Sun, Mar 18, 2007 at 02:59:33PM +0000, Paul Sladen wrote:
>> On Sun, 18 Mar 2007, Chad Sellers wrote:
>>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
>>>> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>>>> For example, could the policy be loaded in the initramfs
>>> if the initrd is going to load the policy then the initrd has to
>>> the policy. So, you have to rebuild the initrd repeatedly.
>> The filesystem containing /the policy/ has to be available. What
>> I would
>> imagine is that the loader script is dropped into the initramfs so
>> execution of the loader occurs between '/' being located + mounted
>> *before* '/sbin/init' is executed.
>> In this case, you'd have "apt-get install selinux" install
>> something like:
> Yup thats pretty much what I did on my boxes to make it work. I copied
> rather liberaly from an RHEL system, as thats what I was familiar
RHEL has a patched init (rather than doing this in an initramfs). So,
if you copied from RHEL, you didn't do this.
> Nice to support things like .autorelabel etc.
>> and once this 'initramfs' is rebuilt, then the 'selinux' loader
>> file will be
>> executed on next boot. As the root-filesystem is now available,
>> the loader
>> can find the policy files there ('/etc/security/*'?). This is
>> still before
>> 'init' ('upstart') has been handed control.
> heh you mean second init? I believe from the kernel's perspective,
> started right after it loaded the initramfs :) or does control get
> passed back? I thought the initramfs handled the whole mounting and
> control passing.
>> The actual policy files would continue to remain where they do
>> currently. The only time that the initramfs would be regenerated
>> is when a
>> new version of SELinux is released---and the regeneration being
>> automatic on
>> installation of the new package.
> Um... um.... actually I think it makes sense to distribute a binary
> policy package. Maybe support a policy package that builds from source
> every time or something... but overall there should be a binary policy
> package and a seprate source package that can be used to generate
> custom binary policy packages.
What do you meain distribute a binary policy package? Isn't this
what's already done? How does this conflict with what Paul was
> The whole concept is that you would have source on one machine, and
> build binary policies to distribute elsewhere on it.
>>> Not everyone uses an initrd.
>> Everyone these days /does/ use initramfs :) Some just use initramfs
>> more than others!
> Um I would think a person who decides to build a monolithic kernel (I
> used to, have since decided I compiled enough kernels in my day, and
> stopped) could opt out from using it.
> Though, if someone decides to customize that much, its reasonable to
> expect some things to not work without hand tweaking.
>> I think though that SELinux is attempting to do things "before the
>> system is
>> started", in which case a far better place for SELinux to be doing
>> its magic
>> is the sort of "management mode" environment that initramfs provides.
> Fromw hat I remember, most of this is prety easy. Yup you put it in
> initramfs etc. The scripts are fairly straightforward, and can
> easily be
> lifted from another system where it works :)...
> the hard part is comming upw ith a reasonably well worked out and
> targeted policy, as I really don't see strict as a viable policy yet,
> not till there are alot more people familiar with SELinux and
> signifigantly more out of the box type enforcement definitions with
> their kinks worked out.
Granted that policy is the larger problem here. I was just hoping to
get to the point where I could enable SELinux simply so that more
people could start playing with it and submitting policy changes.
> I grabbed the one RHEL was distributing... it works mostly good.
> it wasn't anything I dove into enough that I was really comfortable
Manoj Srivastava has done a lot of work to get the policy working
under etch on Debian. Those packages are now available in universe,
so they're probably a better starting point.
> Though once a good solid targeted base is in place (last time I
> tried to
> install this stuff straight up there was some quirkiness to the
> and targeted was severely broken)
> Admittedly I am shooting a bit from the hip here... I don;t have the
> customizations I made on this box or anything.
> "We do everything by custom, even belive by it; our very axioms,
> let us boast of free-thinking as we may, are oftenest simply such
> beliefs as we have never questioned"
> -- Thomas Carlyle
More information about the ubuntu-hardened