Bugzilla – Bug 131554
sysvinit: add SELinux patches for loading policy on boot
Last modified: 2007-09-27 09:09:07 UTC
Please add the following patch from Fedora to the sysvinit-package: http://cvs.fedora.redhat.com/viewcvs/devel/SysVinit/sysvinit-selinux.patch?view=markup This patch changes sysvinit to load SELinux policy at boot time if it is available (via libselinux). If SELinux is disabled behaviour should be unchanged. This patch is needed for full SELinux support in openSUSE.
In principal yes. But I see two problems: SELinux is disabled per default for us and I'm not sure about this getenv/putenv calls. And we don't have libsepol.
Even if we would support libsepol, wouldn't it much better to load the load SELinux policy from the initial ramfs/linuxrc instead of using init? Hannes?
mkinitrd -S
Ah ... OK, let's have a look into the manual page of mkinitrd: [...] -g Use glibc binaries instead of klibc ones. -u Do not use udev for device discovery. -S Load policy file for SELinux if exists. -V script Vendor specific script to run in linuxrc. [...] ... in other words, this report can be closed with WORKSFORME.
Sorry, but it does not work; mkinitrd-1.2-49 (ie the current development version) tries to load a policy version 15 from /etc/security/selinux which is both the wrong version (current policy version is 20) and wrong path (correct would be /etc/selinux/$POLICYTYPE/policy, where POLICYTYPE is something like "strict" or "targeted"). Of course, this could be solved, but I think only supporting loading policy via initrd is not good; there are many people (myself included) who don't use initrds at all; also, the current scheme requires an initrd rebuild on every policy change (which happens quite often while developing policy). But the more important point is that all other distributions supporting SELinux (that is Fedora, Gentoo and Debian) use the patch I linked to. I'm working on integrating SELinux into SUSE; I think it would be cool if SUSE supported SELinux out of the box with as little changes from other distros as possible (even if SELinux is disabled by default which would be OK)
Sorry but why you do not use initrd? And why is supporting SELinux with initrd bad in comparision to init? I can add the patch but I do not see the advantage in comparision to the initrd version. Even more, any initrd system would be protected by SELinux as long the final init is not executed. This is IMHO a potential risk. Hannes? Please could you fix the SELinux support of mkinitrd and then reassign this bug back to me, thanks.
Where I work not using an initrd is policy because initrds are, in our experience, too fragile and unneeded for our environment (all kernels are selfcompiled). Apart from that I don't think an initrd will work well. Modern policy has booleans which can be toggled at runtime (via setsebool). To make the settings permanent, users can write the settings to /etc/selinux/$POLICYTYPE/booleans.local (via setsebool -P). On system startup, this file is read and the settings applied. There are some other settings (available users, for example) which are also read from disk. This means that you need to have the root disk mounted when loading SELinux policy, at which point you can just do it from init. (You could of course load an initial policy from the initrd and load the main policy from init, but I don't think the security difference is that great).
Q: How do you check the root file system when used with modern journal file system? Most of those file systems should not be checked if mounted, even if only mounted readonly. The days of ext2 are gone.
A: Boot a special kernel over the net (with root on NFS) and go from there. At least this is our setup. Of course, this is not how most people would do it. But I still think the easiest way is to load it from init, as you need to have access to the disk anyway.
Hmm ... ``access'' before file system check is not the same as ``hold mounted'' during file system check. Nevertheless, without the libsepol the patch for SELinux for sysvinit is rather useless. I can add the patch but it must stay disabled at compile time.
Args the patch does not fit into sysvinit-2.86.
I'm going tired, now the functiuon call `selinux_init_load_policy' is not found in libselinux 1.25.
I'm sorry, I didn't look close enough if all dependencies are fulfilled. I just asked on the SELinux mailing list if the development versions of libselinux, libsepol and libsemanage are stable enough to be used for a release; if yes I will file separate bugs so they can be included in SUSE. After I have verified that sysvinit builds on vanilla SUSE with SELinux patches applied I will come back.
Created attachment 56759 [details] sysvinit-2.86-selinux.patch This is the current patch I'm using. It seems that the changes in killproc.c are not needed anymore.
It seems that at least libselinux 1.27.6 is required.
We don't officially support SELinux.