Thanks Stephen. I have modified ltp/README and selinux/README accordingly. Regards-- Subrata On Tue, 2008-11-04 at 09:47 -0500, Stephen Smalley wrote: > On Tue, 2008-11-04 at 17:16 +0530, Subrata Modak wrote: > > Hi Serge & Stephen, > > > > Are there any more .config options required to be set/unset for > > compiling 2.6.27 with all LSM enabled, apart from below: > > > > CONFIG_SECURITY=y > > CONFIG_SECURITY_NETWORK=y > > CONFIG_SECURITY_NETWORK_XFRM=y > > CONFIG_SECURITY_FILE_CAPABILITIES=y > > These are fine. > > > CONFIG_SECURITY_ROOTPLUG=y > > Don't enable rootplug - it doesn't honor the security= option. See > below. Plus it is just a toy example for an article that was published > long ago. I don't really understand why it is in mainline. > > > CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0 > > This has to be set to a positive value if you want to test this check. > Fedora kernels set it to 65536. > > > CONFIG_SECURITY_SELINUX=y > > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > > CONFIG_SECURITY_SELINUX_DEVELOP=y > > CONFIG_SECURITY_SELINUX_AVC_STATS=y > > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > > CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y > > These are fine. > > > CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=y > > You don't want this one unless you are running Fedora 3 or 4. On > anything newer, it will cause unnecessary policy expansion. > > > CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE=19 > > CONFIG_SECURITY_SMACK=y > > > > I would like to run the filecaps and selinux tests in LTP and may be any > > SMACK tests in future. Will it create a problem if kernel is built with > > both below options set: > > > > CONFIG_SECURITY_SMACK=y > > CONFIG_SECURITY_SELINUX=y > > By default, if you boot with multiple LSMs compiled into the kernel, the > kernel won't boot succesfully - there can be only one (aside from > explicit internal "stacking" e.g. as is done for combining SELinux or > Smack with capabilities). Unless you use the security= option to select > one at boot. SELinux and Smack will honor the security= option. > > > A great help would be in the form of a patch in updating: > > http://ltp.cvs.sourceforge.net/viewvc/ltp/ltp/testcases/kernel/security/selinux-testsuite/README > > > > in terms of exact SELinux policy(s) and userspace tool(s) to be > > installed (from where to get and where to put) to build and run the > > SELinux testsuite, supposing that a new kernel is built and no SELinux > > policies/uerspace tools existed there before. > > The existing ltp selinux testsuite presumes that you have an existing > SELinux policy + userspace tools. I've only ever used it on Fedora and > RHEL, and principally on the latest Fedora. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
