| 1 |
On Tue, 2003-09-09 at 07:50, Bryan D. Stine wrote: |
| 2 |
> There's currently a showstopper with ReiserFS preventing full deployment |
| 3 |
> of the new SELinux API. Reiser3 doesn't support extended attributes with |
| 4 |
> which SELinux can apply labels, so unfortunately it would never be able |
| 5 |
> to work. Unfortunately, nobody has taken up a project to modify Reiser3, |
| 6 |
> so it looks like we're left waiting for Reiser4. PeBenito can offer you |
| 7 |
> more information about the new SELinux API. |
| 8 |
|
| 9 |
Yes, this is correct. However, we're going to have to go forward with |
| 10 |
the new API anyway. The old API isn't maintained anymore, and it would |
| 11 |
be impossible for us to support both APIs, since there are different |
| 12 |
kernels and sets of userland patches, and slightly different policy |
| 13 |
(Basically only changes in base-policy). |
| 14 |
|
| 15 |
|
| 16 |
> Peter Simons wrote: |
| 17 |
> |
| 18 |
> >I hear the Linux kernel version 2.6 includes most of the SELinux |
| 19 |
> >patches already and that some parts of the internal API security where |
| 20 |
> >changed for that. Thus I wonder: Is there any estimate when a |
| 21 |
> >2.6-based SELinux profile will be available for Gentoo? |
| 22 |
|
| 23 |
SELinux was accepted into 2.6 as of -test3, except the networking hooks |
| 24 |
were dropped (which we didn't support yet anyway). This is a new API |
| 25 |
which is incompatible to the stuff thats in portage. This API was |
| 26 |
backported to 2.4, and is in (masked) selinux-sources-2.4.21-r2. The |
| 27 |
new API does not run on libsecure (selinux-small), it now runs on |
| 28 |
libselinux. Selinux-small will be replaced in the new API by |
| 29 |
sys-libs/libselinux, sys-apps/checkpolicy, and sys-apps/policycoreutils, |
| 30 |
which are currently in portage, but masked. |
| 31 |
|
| 32 |
We're not planning on having a separate profile for 2.6, since the API |
| 33 |
will be the same as selinux-sources-2.4.21-r2. We will be switching our |
| 34 |
support over to the new API as soon as our portage labeling is updated, |
| 35 |
and we have the documentation for people to convert their installations. |
| 36 |
|
| 37 |
Non-x86 architectures will also begin to be supported in 2.6. I've got |
| 38 |
SELinux running on my PPC. Method and some others are looking into |
| 39 |
sparc support (once the kernel starts behaving). |
| 40 |
|
| 41 |
Again, I must emphasize that reiserfs people should convert to ext3 if |
| 42 |
possible. We've been trying to create the needed support for reiserfs, |
| 43 |
but haven't been successful. |
| 44 |
|
| 45 |
-- |
| 46 |
Chris PeBenito |
| 47 |
<pebenito@g.o> |
| 48 |
Developer, SELinux |
| 49 |
Hardened Gentoo Linux |
| 50 |
|
| 51 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 52 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives