[ubuntu-hardened] SELinux support in upstart

Chad Sellers chad at thesellers.net
Sun Mar 18 22:26:46 GMT 2007 

On Mar 18, 2007, at 12:54 PM, Stephen Carpenter, KSC wrote:

> On Sun, Mar 18, 2007 at 02:59:33PM +0000, Paul Sladen wrote:
>> On Sun, 18 Mar 2007, Chad Sellers wrote:
>>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
>>>> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>>>> For example, could the policy be loaded in the initramfs
>>> if the initrd is going to load the policy then the initrd has to  
>>> have
>>> the policy. So, you have to rebuild the initrd repeatedly.
>>
>> The filesystem containing /the policy/ has to be available.  What  
>> I would
>> imagine is that the loader script is dropped into the initramfs so  
>> that
>> execution of the loader occurs between '/' being located + mounted  
>> and
>> *before* '/sbin/init' is executed.
>>
>> In this case, you'd have "apt-get install selinux" install  
>> something like:
>>
>>   /usr/share/initramfs-tools/scripts/init-bottom/selinux
>
> Yup thats pretty much what I did on my boxes to make it work. I copied
> rather liberaly from an RHEL system, as thats what I was familiar  
> with.
>
RHEL has a patched init (rather than doing this in an initramfs). So,  
if you copied from RHEL, you didn't do this.

> Nice to support things like .autorelabel etc.
>
>> and once this 'initramfs' is rebuilt, then the 'selinux' loader  
>> file will be
>> executed on next boot.  As the root-filesystem is now available,  
>> the loader
>> can find the policy files there ('/etc/security/*'?). This is  
>> still before
>> 'init' ('upstart') has been handed control.
>
> heh you mean second init? I believe from the kernel's perspective,  
> init
> started right after it loaded the initramfs :) or does control get
> passed back? I thought the initramfs handled the whole mounting and
> control passing.
>
>> The actual policy files would continue to remain where they do
>> currently.  The only time that the initramfs would be regenerated  
>> is when a
>> new version of SELinux is released---and the regeneration being  
>> automatic on
>> installation of the new package.
>
> Um... um.... actually I think it makes sense to distribute a binary
> policy package. Maybe support a policy package that builds from source
> every time or something... but overall there should be a binary policy
> package and a seprate source package that can be used to generate
> custom binary policy packages.
>
What do you meain distribute a binary policy package? Isn't this  
what's already done? How does this conflict with what Paul was  
proposing?

> The whole concept is that you would have source on one machine, and  
> then
> build binary policies to distribute elsewhere on it.
>
>>> Not everyone uses an initrd.
>>
>> Everyone these days /does/ use initramfs :)  Some just use initramfs
>> more than others!
>
> Um I would think a person who decides to build a monolithic kernel (I
> used to, have since decided I compiled enough kernels in my day, and
> stopped)  could opt out from using it.
>
> Though, if someone decides to customize that much, its reasonable to
> expect some things to not work without hand tweaking.
>
>> I think though that SELinux is attempting to do things "before the  
>> system is
>> started", in which case a far better place for SELinux to be doing  
>> its magic
>> is the sort of "management mode" environment that initramfs provides.
>
> Fromw hat I remember, most of this is prety easy. Yup you put it in  
> th4e
> initramfs etc. The scripts are fairly straightforward, and can  
> easily be
> lifted from another system where it works :)...
>
> the hard part is comming upw ith a reasonably well worked out and  
> tested
> targeted policy, as I really don't see strict as a viable policy yet,
> not till there are alot more people familiar with SELinux and
> signifigantly more out of the box type enforcement definitions with
> their kinks worked out.
>
Granted that policy is the larger problem here. I was just hoping to  
get to the point where I could enable SELinux simply so that more  
people could start playing with it and submitting policy changes.

> I grabbed the one RHEL was distributing... it works mostly good.  
> However
> it wasn't anything I dove into enough that I was really comfortable
> with.
>
Manoj Srivastava has done a lot of work to get the policy working  
under etch on Debian. Those packages are now available in universe,  
so they're probably a better starting point.

Chad

> Though once a good solid targeted base is in place (last time I  
> tried to
> install this stuff straight up there was some quirkiness to the  
> packages
> and targeted was severely broken)
>
> Admittedly I am shooting a bit from the hip here... I don;t have the
> customizations I made on this box or anything.
>
> -Steve
>
> -- 
> "We do everything by custom, even belive by it; our very axioms,
>  let us boast of free-thinking as we may, are oftenest simply such
>  beliefs as we have never questioned"
>                 -- Thomas Carlyle

More information about the ubuntu-hardened mailing list