On Wed, 20 Apr 2005 10:13:54 +1000, Russell Coker <[EMAIL PROTECTED]> said:
> On Tuesday 15 March 2005 09:32, Joey Hess <[EMAIL PROTECTED]> wrote: >> The fact that the release team now sees the light at the end of the >> tunnel for the release of sarge means that now is the time we need >> to begin planning for etch. Allowing unstable development to pick >> back up after a release with no clear plan for the next release has >> been shown time and time again to delay the next release by one to >> two *years*. The rest follows from that. > Currently we plan to have libselinux in base for Etch. SE Linux > code is in cron and logrotate which can be simply recompiled for > full SE support. Fcron already is compiled with SE Linux support. > The maintainer of sysvinit has agreed in concept to compile with SE > support once libselinux is in base. > We can basically make SE Linux usable by most people with a small > amount of work once the above changes are made. > I would like to see a general goal for Etch to have SE Linux as an > option at install time. In pursuance of that goal, I have made available a patched branch of dpkg-devel which has support for SELinux. Please pull from [EMAIL PROTECTED]/dpkg--selinux--1.13 (http://arch.debian.org/arch/private/srivasta/archive-2005-selinux) This branch should have a small, very non-intrusive patch that does not have a performance hit on a non-SELinux system. It does add a dependency on libselinux1 for dpkg. Please see http://www.golden-gryphon.com/software/security/selinux.xhtml for details. You may browse the repository at http://www.golden-gryphon.com/cgi-bin/archzoom.cgi/[EMAIL PROTECTED]/?expand If you want to try out this selinux aware dpkg, as well as Greg T. Norris' selinux patched coreutils package, please point apt at: deb http://people.debian.org/~srivasta/ packages/ deb-src http://people.debian.org/~srivasta/ packages/source/ manoj Repository links dpkg--stable The stable upstream DPKG branch, meant for Sarge. dpkg--devel The upstream development branch for dpkg. This is meant for Etch -- and since Etch can promote libselinux1 to an essential priority, this branch of dpkg could be linked against libselinux1. dpkg--selinux-old Russell Coker's modifications to dpkg, which introduce {pre,post}{inst,rm}.d/ directories to label installed package files correctly, using setfiles. Unfortunately, these changes were deemed too far reaching, and really suboptimal, by dpkg authors, since they were not comfortable introducing the general purpose hook directories, which could lead to non-deterministic behaviour, and could be open to all kinds of abuse. dpkg--selinux A new modification of dpkg, using SELinux library calls (matchpathcon and {l,f}setfilecon) to set the security context of component files just after unpacking. This approach may be more acceptable, since it does not create a whole set of directories that are open to potential abuse, and fits in with the chown/chmod calls that dpkg already makes. -- What is food to one, is to others bitter poison. Titus Lucretius Carus Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/%7Esrivasta/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]