FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-08-2008, 09:10 AM
Jan Kasprzak
 
Default Enabling SELinux on a custom kernel

Hello,

how do I enable SELinux on a custom kernel? I have looked into
the system initrd, and it seems the policy is loaded by the "loadpolicy"
command in nash. Is it possible to use SELinux with Fedora without
having to use initrd?

Thanks,

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 12:24 PM
Stephen Smalley
 
Default Enabling SELinux on a custom kernel

On Tue, 2008-07-08 at 11:10 +0200, Jan Kasprzak wrote:
> Hello,
>
> how do I enable SELinux on a custom kernel? I have looked into
> the system initrd, and it seems the policy is loaded by the "loadpolicy"
> command in nash. Is it possible to use SELinux with Fedora without
> having to use initrd?

Prior to Fedora 9, Fedora used a patched /sbin/init program to perform
the initial policy load (it would load policy and then re-exec itself in
order to enter the correct domain). Fedora 9 switched over to loading
policy from the initrd.

Your options would seem to be:
- use an initrd (easiest),
- re-patch your /sbin/init program,
- try to do it from inittab or rc.sysinit (but the problem there is that
it doesn't get /sbin/init itself into the right domain).

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 02:19 PM
"Serge E. Hallyn"
 
Default Enabling SELinux on a custom kernel

Quoting Stephen Smalley (sds@tycho.nsa.gov):
>
> On Tue, 2008-07-08 at 11:10 +0200, Jan Kasprzak wrote:
> > Hello,
> >
> > how do I enable SELinux on a custom kernel? I have looked into
> > the system initrd, and it seems the policy is loaded by the "loadpolicy"
> > command in nash. Is it possible to use SELinux with Fedora without
> > having to use initrd?
>
> Prior to Fedora 9, Fedora used a patched /sbin/init program to perform
> the initial policy load (it would load policy and then re-exec itself in
> order to enter the correct domain). Fedora 9 switched over to loading
> policy from the initrd.
>
> Your options would seem to be:
> - use an initrd (easiest),
> - re-patch your /sbin/init program,
> - try to do it from inittab or rc.sysinit (but the problem there is that
> it doesn't get /sbin/init itself into the right domain).

Aaaah. I was wondering why my new f9-based kvm image wasn't enabling
selinux when I started it with "-kernel bzImage". That's going to be
a bit of a pain, as I assume I'll have to import the kernel tree into
the f9 image in order to create an initrd.

-serge

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-09-2008, 02:05 PM
Jan Kasprzak
 
Default Enabling SELinux on a custom kernel

Serge E. Hallyn wrote:
: Quoting Stephen Smalley (sds@tycho.nsa.gov):
: > Your options would seem to be:
: > - use an initrd (easiest),
: > - re-patch your /sbin/init program,
: > - try to do it from inittab or rc.sysinit (but the problem there is that
: > it doesn't get /sbin/init itself into the right domain).
:
: Aaaah. I was wondering why my new f9-based kvm image wasn't enabling
: selinux when I started it with "-kernel bzImage". That's going to be
: a bit of a pain, as I assume I'll have to import the kernel tree into
: the f9 image in order to create an initrd.

Mkinitrd does not need the kernel tree, just the modules installed
in /lib/modules/`uname -r`, some libraries from /lib{,64}, and some
configuration files (mdadm.conf, fstab, ld.so.conf). I had to iterate
over

mkinitrd /boot/initrd-2.6.25.10 2.6.25.10

adding --builtin=... options until it succeeded, and the resulting initrd
worked (at least it did load the SELinux policy).

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org