dazuko-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: UNS: [Dazuko-devel] 2.3.5-pre1 (patch) posted

From: jim burns
Subject: Re: UNS: [Dazuko-devel] 2.3.5-pre1 (patch) posted
Date: Sun, 23 Mar 2008 22:26:24 -0400
User-agent: KMail/1.9.9 
On Thursday 20 March 2008 07:34:52 pm John Ogness wrote:
> One of the nice things about the patch is that it allows you to
> configure a boot parameter for Dazuko. It is hoped that this will
> encourage some distributions to include the kernel patch with Dazuko
> disabled by default. Then users could activate Dazuko by simply adding
> "dazuko=1" as a boot parameter. This is also how SElinux does it.
>
> LSM modules will be loaded in the following order:
>
> 1. SElinux
> 2. Dazuko
> 3. Capabilities
>
> As always, only 2 of the 3 modules can be used simultaneously.

And in more detail from your patch, security/dazuko/Kconfig section:

+config SECURITY_DAZUKO
+       bool "Dazuko Support"
[...]
+         This module will NOT work if both "NSA SELinux Support" and
+         "Default Linux Capabilities" are enabled.

This could cause problems having to disable selinux or capabilities.

There are a number of Fedora services that will not start without 
capabilities, such as dbus and ntp/ntpdate, and not having dbus causes other 
services not to initialize, such as mcstrans & avahi. (For some reason, SuSE 
works fine w/o capabilities.) What I used to do was delay loading dazuko 
until I could unload capabilities in /etc/rc.local, but now your patch 
compiles dazuko statically into the kernel, not as a module.

I could easily do with out selinux personally, but I suspect I would not 
always have that option when working for other people.

So I'm thinking out loud about solutions:

1) disable something at runtime. from security/selinux/Kconfig:

config SECURITY_SELINUX_DISABLE
        bool "NSA SELinux runtime disable"
        depends on SECURITY_SELINUX
        default n
        help
          This option enables writing to a selinuxfs node 'disable', which
          allows SELinux to be disabled at runtime prior to the policy load.
          SELinux will then remain disabled until the next boot.
          This option is similar to the selinux=0 boot parameter, but is to
          support runtime disabling of SELinux, e.g. from /sbin/init, for
          portability across platforms where boot parameters are difficult
          to employ.

Not sure what a 'selinuxfs node' is, or what commands get that to work, but 
not being able to re-enable till the next reboot is not what I'm looking for. 
For this to work, both dazuko & (selinux or capabilities) would have to 
support dynamic enable/disable.

2) Some kernel patch to allow all three functions to be active at the same 
time. Is there such a beast?

3) Your patch did give me an idea about a simple patch to security/Kconfig. 
Change:

config SECURITY_CAPABILITIES
        bool "Default Linux Capabilities"

back to:

config SECURITY_CAPABILITIES
        tristate "Default Linux Capabilities"

so you can once again select 'm' for module in kernel configuration. Of 
course, that will only work till kernel.org prunes what they think is dead 
code from the security code, and you won't be able to compile capabilities as 
a module anymore. Of course, I'm sure John knows all about chasing a moving 
target. I'm currently recompiling my fc8 kernel to see if this will work.

Any other ideas?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]