On Mon, 2005-05-23 at 07:49 -0400, Serge E. Hallyn wrote: > Oh, as of very recently, I'm actually able to volunteer to do that :) > So I'll happily update whatever I can find, though I'm not sure where > all the patches should go and what all needs to be patched. Clearly > selinuxfs and procutils. I'll dig around. s/selinuxfs/libselinux, right? Yes, libselinux and procps would definitely need to be changed. /etc/rc.d/rc.sysinit on Fedora/RHEL is also directly checking /proc/filesystems and /proc/self/attr/current to see whether SELinux is enabled and a policy is loaded, but that could likely be changed to use the selinuxenabled utility if it were moved to /sbin (so that it is accessible when rc.sysinit is run even if /usr is a separate partition). The largest concern is backward compatibility, especially since FC3, FC4, and RHEL4 will all have shipped with userlands that assume that /proc/self/attr is the exclusive domain of SELinux. Or you'd have to have a coordinated update to kernel and libselinux (and procps and initscripts and whatever else). > (I had been considering just leaving procattr unaddressed, but was > told last friday that another module will in fact be able to make > good use of it) An open source module? > I'm not very "in the loop", but I understand there is another similar > TPM based module which performs authorization, which should be released > soon. It actually consists of two modules and so uses stacker just by > itself. Of course there is digsig for people without TPMs. And > seclvl. Not clear that any of these other than seclvl should be using LSM; discussion on lkml for IMA suggests otherwise. No obvious value in stacking seclvl with SELinux vs. configuring SELinux policy to impose equivalent restrictions (but in a saner manner, since you can use policy on a per-process level to deal with the exception cases where you have to allow violations of the seclvl restrictions)? -- Stephen Smalley National Security Agency
This archive was generated by hypermail 2.1.3 : Tue May 24 2005 - 08:24:49 PDT