Ubuntu
linux-source-2.6.15 package

Linux Security Modules framework networking hooks (CONFIG_SECURITY_NETWORK) not enabled

Bug #13502 reported by Lorenzo Hernández García-Hierro (a.k.a. trulux)
6
Affects Status Importance Assigned to Milestone
linux-source-2.6.15 (Ubuntu)
Fix Released
Wishlist
Fabio Massimo Di Nitto
Ubuntu ubuntu-5.10

Bug Description

The LSM framework h¡networking hooks are not enabled, which prevents SELinux and
any other module or engine using the framework itself to access these (critical)
hooks used to implement fine-grained control over netlink classes, sockets, etc.

A simple grep'ing of the linux-image-2.6.10-4-* config shows:

CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=m
CONFIG_SECURITY_ROOTPLUG=m
CONFIG_SECURITY_SECLVL=m
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set

CONFIG_SECURITY_NETWORK should be "y" and also CONFIG_SECURITY_SELINUX_MLS
should be enabled for those who want to play around it.

This should be solved before final release if possible because it's a blocking
issue which can lead to confusion for everyone relying in these hooks, I
apologize for not noticing it before the FF (I was running a kernel of my own,
so, I just noticed it when trying to do some LSM work after installing 2.6.10
image).

Cheers,
Lorenzo.

http://lsm.immunix.org: http://lsm.immunix.org

See original description
Revision history for this message
Matt Zimmerman (mdz) wrote :

Downgrading since this isn't a release goal.

As can be seen on the release schedule, we are in a high-caution period leading
up to the preview release, and only things which are critical for the preview
release will be changed at this time.

After the preview release, the kernel team can evaluate whether this is a safe
change to enable, and we can consider making the change at that time.

Revision history for this message
Lorenzo Hernández García-Hierro (a.k.a. trulux) (lorenzo-debian-hardened) wrote :

(In reply to comment #1)
> Downgrading since this isn't a release goal.
>
> As can be seen on the release schedule, we are in a high-caution period leading
> up to the preview release, and only things which are critical for the preview
> release will be changed at this time.
>
> After the preview release, the kernel team can evaluate whether this is a safe
> change to enable, and we can consider making the change at that time.

There's nothing unsafe in this operation, fixing it is plain easy and
inoffensive to the rest of things,
but it prevents *all* of *us* who develop or use SELinux and LSM related
projects to make things going
well.

I know we have reached a freeze, but we can't lead users to rebuild kernels just
because missing a small "y" bit in CONFIG_SECURITY_NETWORK.

At least it is a big pain for me and other people working with SELinux
deployment in Ubuntu.

Cheers,
Lorenzo.

Revision history for this message
Matt Zimmerman (mdz) wrote :

If the kernel team has no objection, I have no problem with this being enabled
in the next kernel upload, now that the preview has been released. However, it
is still not a "major" bug; please leave the severity set appropriately.

Revision history for this message
Lorenzo Hernández García-Hierro (a.k.a. trulux) (lorenzo-debian-hardened) wrote :

Changed to Breezy and changed severity.
This should get done for Breezy as soon as possible, it's a little blocking issue.

Please check.

Revision history for this message
Fabio Massimo Di Nitto (fabbione) wrote :

You have been asked once already to no mangle bug severity.
This is an enanchment bug and it will be processed as such,
together with the others.

Fabio

Revision history for this message
Chuck Short (zulcss) wrote :

New kernel will hit the archive soon for breezy.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.