Add SELinux permissive domains to fedora kernels

Dave Jones davej at redhat.com
Mon Mar 31 18:24:38 UTC 2008 

On Mon, Mar 31, 2008 at 02:07:44PM -0400, Eric Paris wrote:
 > I know its way late but I'd like to add a new SELinux concept to the F9
 > kernels.  Its going to be a backport of a couple of my changesets headed
 > upstream
 > 
 > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=32021b669089eb9b264e6b26af4d9a47eb50d4f1
 > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=70d212ebfdd5e39a9d4fb0f8f7ea5c38486f6b04
 > http://git.kernel.org/?p=linux/kernel/git/jmorris/selinux-2.6.git;a=commitdiff;h=559dbbc87d0a5d2eb88bbbea5f2b66ee2dfd55d6
 > 
 > Only the third patch is truly interesting.
 > 
 > A permissive domain is a new concept in which a sysadmin can say that a
 > given domain is free to do anything it wants.  Lets say a user seriously
 > customized httpd and they want httpd to just be allowed to run wild
 > while still keeping enforcing for everything else in the system.  With
 > the kernel patch I want to commit and the userspace changes dan has
 > already pushed this week they just need a simple policy which says
 > "permissive httpd_t" and all their httpd_t denials become allows!
 > 
 > One of the upstream patches adds a BUG_ON() but I'm still a teensy bit
 > scared of it so in the F9 patch I'll probably make it a WARN_ON since it
 > isn't really deadly to the kernel...   anyway.  Chances of regression
 > here are very very low.
 > 
 > I would just jam this in myself but we are getting really late and I
 > wanted people to be able to tell me no before I did it.  If noone
 > strongly objects quickly expect to see a commit message early this
 > week....

It is indeed, very late.  I'm concerned by just how much busted stuff
we have[*], so shovelling in more features after the feature freeze is
making me wince.  From a quick look at the patches, this is a fairly
small amount of code that's changing, that looks harmless.

What userspace changes are necessary for this? Are they in place already?
We'll pick this up anyway in 2-3 months as an F9 update when we rebase
to 2.6.26, so I guess the userspace bits will have to be done at some point,
but I'd rather we spent effort beating what we have already into shape
than forward planning right now.

(That said, selinux is pretty solid from a kernel pov. Still some warts
 in policy, but Dan is nailing those pretty quickly as usual).

I dunno.

	Dave

[*] The top kerneloops.org regressions right now are all in code that's
been added to Fedora that isn't upstream (yet).  This is not a good sign.

-- 
http://www.codemonkey.org.uk

More information about the Fedora-kernel-list mailing list