Compiling in SELinux in the default kernels
The following message is a courtesy copy of an article
that has been posted to gmane.linux.debian.devel.kernel as well.
Hi,
I would once again like to bring up the possibility of
compiling in support for SELinux in 2.6.9+ kernels, but leaving them
disabled by default at boot time. This can be accomplished by
setting CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE==0 in the
configuration (I am attaching a suggested set of security related
configuration options below).
The last time I brought it up, I was told that his has already
come up on the list, and the reason we do not compile in SELinux is
that there is a performance hit on doing so.
On doing further research, I have discovered that yes, there
is a 5-7% performance penalty on *running* SELinux -- but that is a
whole different ball game. If SELinux is compiled in, and disabled at
boot, there is no discernible performance hit -- benchamrks show that
any effect is lost in the noise (since the only effect is that of the
LSM hooks alone).
I think this would be really helpful to our users, since then
they can chose to try out SELinux by just adding a stanza to grub or
lilo -- try things out in non-enforcing mode, for instance.
I also notice that 2.6.9 kernels are not slated for Sarge
(having just acquired an grave bug to ensure that), I strongly urge
that the 2.6.9 kernel configuration be modified for SELinux.
manoj
KERNEL CONFIGURATION
--------------------
Under Filesystems, be sure to enable the Ext[23] extended attributes and
Ext[23] Security Labels options (CONFIG_EXT[23]_FS_XATTR,
CONFIG_EXT[23]_FS_SECURITY).
Under Pseudo Filesystems, be sure to enable the /dev/pts
Extended Attributes and /dev/pts Security Labels options
(CONFIG_DEVPTS_FS_XATTR, CONFIG_DEVPTS_FS_SECURITY).
Under Security, be sure to enable all of the following options:
Enable different security models (CONFIG_SECURITY)
Socket and Networking Security Hooks (CONFIG_SECURITY_NETWORK)
Capabilities Support (CONFIG_SECURITY_CAPABILITIES)
NSA SELinux Support (CONFIG_SECURITY_SELINUX)
NSA SELinux Development Support (CONFIG_SECURITY_SELINUX_DEVELOP)
NSA SELinux boot parameter (CONFIG_SECURITY_SELINUX_BOOTPARAM)
Excerpts from my working config below:
======================================================================
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
#############################################
#
# Pseudo filesystems
#
CONFIG_DEVPTS_FS_XATTR=y
CONFIG_DEVPTS_FS_SECURITY=y
#############################################
# Security options
#
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set
--
Trying to break out of the Tempter's control, one's mind writhes to
and fro, like a fish pulled from its watery home onto dry ground. 34
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: