Re: New stacker performance results

From: Stephen Smalley (sds@private)
Date: Tue May 24 2005 - 08:15:27 PDT

On Mon, 2005-05-23 at 07:49 -0400, Serge E. Hallyn wrote:
> Oh, as of very recently, I'm actually able to volunteer to do that :)
> So I'll happily update whatever I can find, though I'm not sure where
> all the patches should go and what all needs to be patched.  Clearly
> selinuxfs and procutils.  I'll dig around.

s/selinuxfs/libselinux, right?
Yes, libselinux and procps would definitely need to be
changed.  /etc/rc.d/rc.sysinit on Fedora/RHEL is also directly
checking /proc/filesystems and /proc/self/attr/current to see whether
SELinux is enabled and a policy is loaded, but that could likely be
changed to use the selinuxenabled utility if it were moved to /sbin (so
that it is accessible when rc.sysinit is run even if /usr is a separate

The largest concern is backward compatibility, especially since FC3,
FC4, and RHEL4 will all have shipped with userlands that assume
that /proc/self/attr is the exclusive domain of SELinux.  Or you'd have
to have a coordinated update to kernel and libselinux (and procps and
initscripts and whatever else).

> (I had been considering just leaving procattr unaddressed, but was
> told last friday that another module will in fact be able to make
> good use of it)

An open source module?

> I'm not very "in the loop", but I understand there is another similar
> TPM based module which performs authorization, which should be released
> soon.  It actually consists of two modules and so uses stacker just by
> itself.  Of course there is digsig for people without TPMs.  And
> seclvl.

Not clear that any of these other than seclvl should be using LSM;
discussion on lkml for IMA suggests otherwise.  No obvious value in
stacking seclvl with SELinux vs. configuring SELinux policy to impose
equivalent restrictions (but in a saner manner, since you can use policy
on a per-process level to deal with the exception cases where you have
to allow violations of the seclvl restrictions)?

Stephen Smalley
National Security Agency

This archive was generated by hypermail 2.1.3 : Tue May 24 2005 - 08:24:49 PDT