[gentoo-hardened] SELinux integrated in 2.6.0-test3

[gentoo-hardened] SELinux integrated in 2.6.0-test3

[Martin de la Herran]

	Hi everybody,

In case you haven't seen it, SELinux patch is now integrated in the new
test kernel. This seems most interesting: 

-kernel source will not need to be patched for it
-it will be available in all configurations: no more problems merging
selinux patches and other (future) patches.
-more public awareness will probably mean more people will try and use
it.

I hope this move helps the hardened gentoo selinux project; I would be
glad to hear your opinion about this move: isn't it quite a big patch to
add into the -test series? (I thought they were into feature freeze
code, patching only). Anyway, I'm glad they are betting for it!

Greetings,

Martín de la Herrán.

test 3 Linus message and changelog:
http://marc.theaimsgroup.com/?l=linux-kernel&m=106040784910861&w=2


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux integrated in 2.6.0-test3

[Joshua Brindle]

Yes, LSM is fairly big and intrusive, the LSM guys and the SELinux guys
worked very hard to finally get it suitable for inclusion dispite the 
feature freeze (linus told them he'd accept it). It does mean, however
that there were API changes both in LSM and SELinux and so the 
userland, selinux libs, etc are totally different, we are in the process
of getting these new patches working so they can be put into
portage. Pebenito has already fixed up his policy to work with the
2.6 selinux (not many changes) and he's even running selinux on 
his PPC !! :)  (this wasn't possible with the older API that needed
architecture specific registers). 

This will certainly make SELinux more accessible to everyone, and
is a great step in Linux. Anyone who is willing to test the new
SELinux stuff on 2.6 you can drop by #gentoo-hardened or 
reply here, Thanks.

Joshua Brindle

>>> Martin de la Herran <zenzei@toison.com> 08/09/03 11:06AM >>>
	Hi everybody,

In case you haven't seen it, SELinux patch is now integrated in the new
test kernel. This seems most interesting: 

-kernel source will not need to be patched for it
-it will be available in all configurations: no more problems merging
selinux patches and other (future) patches.
-more public awareness will probably mean more people will try and use
it.

I hope this move helps the hardened gentoo selinux project; I would be
glad to hear your opinion about this move: isn't it quite a big patch to
add into the -test series? (I thought they were into feature freeze
code, patching only). Anyway, I'm glad they are betting for it!

Greetings,

Martín de la Herrán.

test 3 Linus message and changelog:
http://marc.theaimsgroup.com/?l=linux-kernel&m=106040784910861&w=2 


--
gentoo-hardened@gentoo.org mailing list


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux integrated in 2.6.0-test3

[Boyd Waters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
|  It does mean, however
| that there were API changes both in LSM and SELinux and so the
| userland, selinux libs, etc are totally different, we are in the process
| of getting these new patches working so they can be put into
| portage. Pebenito has already fixed up his policy to work with the
| 2.6 selinux (not many changes) and he's even running selinux on
| his PPC !! :)  (this wasn't possible with the older API that needed
| architecture specific registers).

OK... so it should not be a surprise that I was not able to get SELinux
userspace tools to work with 2.6-test3...

Perhaps it would be interesting to note that other parts of
selinux-gentoo will *not* compile against 2.6 kernel headers.
Particularly ksyslogd (which thinks it knows about kernel modules but
that API has changed). Not certain about vcron.


- -- boyd
watersb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/Neky0is8k1r0QeURAjNHAKCNoTT8jUWNLDxE9ib987mUC6XRdgCbBg+C
2iD4zuXkzdHhMGBIR52GTag=
=U22R
-----END PGP SIGNATURE-----


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux integrated in 2.6.0-test3

[Phil West]

On Saturday, August 9, 2003, at 01:51 PM, Joshua Brindle wrote:

> Pebenito has already fixed up his policy to work with the
> 2.6 selinux (not many changes) and he's even running selinux on
> his PPC !! :)  (this wasn't possible with the older API that needed
> architecture specific registers).

Any tips on pulling this off?  Anything to watch out for?  I'm planning
on sticking another drive in my g4 powermac and dedicating it to linux. 
  I'd like to run selinux/ppc there.  Since I need to do an install from 
scratch, I can help debug & document if needed.

> This will certainly make SELinux more accessible to everyone, and
> is a great step in Linux. Anyone who is willing to test the new
> SELinux stuff on 2.6 you can drop by #gentoo-hardened or
> reply here, Thanks.

I've got an old SPARCstation LX (50Mhz) bootstrapped and it's currently 
working on an 'emerge system'.  I'd like to convert it into an 
selinux/sparc box.  I took a shot at a selinux-sparc-1.4 profile (not 
usable yet) and bootstrapped the system off of that, but fully 
implementing selinux looks like it will be non-trivial.  I'm willing to 
help test the 2.6 stuff once my box is ready.

The box probably won't finish it's emerge for another week or so.  [It 
was 4+ days just to bootstrap!  Gotta love old hardware. :) ]

-Phil


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] SELinux integrated in 2.6.0-test3

[Kumba]

Phil West wrote:

[snip]
> I've got an old SPARCstation LX (50Mhz) bootstrapped and it's currently 
> working on an 'emerge system'.  I'd like to convert it into an 
> selinux/sparc box.  I took a shot at a selinux-sparc-1.4 profile (not 
> usable yet) and bootstrapped the system off of that, but fully 
> implementing selinux looks like it will be non-trivial.  I'm willing to 
> help test the 2.6 stuff once my box is ready.
> 
> The box probably won't finish it's emerge for another week or so.  [It 
> was 4+ days just to bootstrap!  Gotta love old hardware. :) ]
> 
> -Phil

Let the Sparc team know how your experiments with selinux on it go.  I 
don't know how well 2.6 will boot on sparc32 hardware yet.  Wesolows on 
the Sparc team is helping with that in whatever spare time he can get, 
but as far as I know, it's still a bit of a battle and probably not very 
stable (if it can even boot).  You might have luck with 2.4, though.


--Kumba

-- 
"Such is oft the course of deeds that move the wheels of the world: 
small hands do them because they must, while the eyes of the great are 
elsewhere."  --Elrond


--
gentoo-hardened@gentoo.org mailing list