Re: Headsup: ncurses soname bump 5 to 6

2008-09-16 Thread Steve Langasek 
On Tue, Sep 16, 2008 at 05:21:10PM -0500, Adam Majer wrote:
> Steve Langasek wrote:
>> On Tue, Sep 16, 2008 at 09:21:44PM +0200, Daniel Baumann wrote:

>>> There is no hurry, but please start using soname-independent
>>> build-depends on ncurses as 'libncurses-dev | libncurses5-dev' in your
>>> next uploads.

>> Does this mean it /can't/ be handled with binNMUs because you're changing
>> the -dev package name?

> Daniel probably meant "it could be handled by binNMUs" provided people  
> upload their package(s) with the new build-depends before the transition  
> starts.

In that case: no, please fix your ncurses 6 package to provide a proper
transition path by adding Provides: libncurses5-dev.  You shouldn't plan
transitions in a way that requires uploads to over 400 source packages.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Headsup: ncurses soname bump 5 to 6

2008-09-16 Thread Daniel Baumann 
Adam Majer wrote:
> Daniel probably meant "it could be handled by binNMUs" provided people
> upload their package(s) with the new build-depends before the transition
> starts.

yep; sorry for beeing unprecise.

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Manoj Srivastava 
On Tue, Sep 16 2008, Raphael Geissert wrote:

> There should and will, but only if it used.
> I haven't had neither time nor interest to read the docs to correctly setup
> SELinux. So, the several packages which are installed by default, because
> of priority: standard, are completely useless.

Packages that are useless to some people are not a very
 interesting set, since I can see some people having no use for some ogf
 the packages below.

Package: telnet
Package: exim4-config
Package: cpp-4.1
Package: g++-4.1
Package: libdns22
Package: python-minimal
Package: console-tools
Package: vim-common
Package: whiptail
Package: python
Package: console-data
Package: file
Package: gcc-4.1

Indeed, the question is not about utility for everyone, but the
 selection of a set of characteristics for the operating system we are
 creating, such that they prove to be of utility to a larger set of
 people. I think, in this day and age, mandatory security should have a
 low barrier of entry -- so something that is available, installed, and
 just needs minor configuration to enable is better than not having it
 around. And that means not disabling the patches that more and more
 upstreams are incorporating.

I think we are have a low enough avc denial rates that
 unconfined/permissive already provides value. We are pretty close to
 achieving unconfined/enforcing fo Lenny, and with help from people I
 think we can be there. strict/permissive and strinct/enforcing should
 be doable for squeeze.

manoj
-- 
The ends justify the means. after Matthew Prior
Manoj Srivastava <[EMAIL PROTECTED]>   
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#499222: ITP: lancelot -- Next gen menu for KDE4

2008-09-16 Thread Cassiano Bertol Leal 
Package: wnpp
Severity: wishlist
Owner: Cassiano Bertol Leal <[EMAIL PROTECTED]>

* Package name: lancelot
  Version : 1.0.3-1
  Upstream Author : Ivan Čukić
* URL : http://lancelot.fomentgroup.org/
* License : (GPL)
  Programming Lang: (C, C++)
  Description : Next gen menu for KDE4

Lancelot is an application launcher menu (or ALI) for KDE 4 designed to provide 
a place from which all your jobs begin. It 
provides quick access to applications, places, documents, contacts and system 
information.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/

2008-09-16 Thread Paul Wise 
On Wed, Sep 17, 2008 at 9:25 AM, Russell Coker <[EMAIL PROTECTED]> wrote:

> Would it be possible to get the above web site changed to have the names of
> the daily build files include the date?

debian-cd is probably a better list to ask this.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

http://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/i386/iso-cd/

2008-09-16 Thread Russell Coker 
Would it be possible to get the above web site changed to have the names of 
the daily build files include the date?

For example you could have debian-testing-i386-netinst.iso be a sym-link to 
debian-testing-2008-09-16-i386-netinst.iso.  That way the current URLs work, 
scripts that just want to get the latest version work, but anyone who does a 
manual download will not be at risk of losing the data regarding when the 
image was built.

-- 
[EMAIL PROTECTED]
http://etbe.coker.com.au/  My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Raphael Geissert 
Manoj Srivastava wrote:

> On Mon, Sep 15 2008, Raphael Geissert wrote:
> 
>> Bastian Blank wrote:
>>
>>> On Mon, Sep 15, 2008 at 06:12:03PM +0200, Josselin Mouette wrote:
 Le lundi 15 septembre 2008 à 10:12 -0500, Manoj Srivastava a écrit :
 > > Agreed. Either SELinux is suitable with our default setup and we
 > > should enable it by default to get all its alleged benefits, or it
 > > is not, and we should simply not install it.
 > Since the new default policy seems to be working in targeted
 >  mode, I think we are doing fine.
 Fine. Then let’s enable it by default.
>>> 
>>> Oh yeah. Do you intend to do the support?
>>
>> If it is not very functional by default, or it is but nobody is
>> willing to support it, then it shouldn't be standard; that's the main
>> point.
> 
> If it is not functional, there should be bugs filed, no?

There should and will, but only if it used.
I haven't had neither time nor interest to read the docs to correctly setup
SELinux. So, the several packages which are installed by default, because
of priority: standard, are completely useless.

> 
> manoj

Cheers,
Raphael


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Manoj Srivastava 
On Tue, Sep 16 2008, Stephen Gran wrote:
> This is a sid install of the default policy in non-enforcing mode.  I
> can't guarantee that every one of those complaints would have
> generated errors that matter, but it doesn't look like we're tuned for
> a normal install just yet.

Well, seems like I reach a different conclusion:
__> audit2allow <~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
13

13 lines of policy to get it into enforcing mode, assuming all
 of these actions are safe to allow.

--8<---cut here---start->8---
allow dhcpc_t ntpd_t:process signal;
allow dhcpc_t ntpd_var_run_t:file { read getattr unlink };
allow dhcpc_t self:capability kill;
allow dhcpc_t tmpfs_t:dir { write search add_name };
allow dhcpc_t tmpfs_t:file { create getattr append };

allow fsadm_t apmd_t:fd use;

allow insmod_t apmd_t:unix_stream_socket { read write };
allow insmod_t lib_t:file execute_no_trans;

allow logrotate_t unconfined_home_dir_t:dir search;

allow mount_t etc_t:file unlink;
allow ntpd_t tmpfs_t:dir { write search add_name };
allow udev_t etc_runtime_t:file { unlink append };
allow unconfined_t self:process { execstack execmem };
--8<---cut here---end--->8---

So, pretty close. Why is logrotate looking into user home
 directories? there is the mount and /etc/mtab thingy, and ifconfig
 writing to ifstate, these should really be changed.

I think dhcpd policy does need some loving.

I would much rather we chased down these last outlier bits of
 policy, and let the local admin decide if they really want logrotate to
 look into every single user directory, or not (me, I would prefer to
 create a separate lable for log files in my home dir, but that is
 perhaps just me).

manoj
-- 
"The lesser of two evils -- is evil." Seymour (Sy) Leon
Manoj Srivastava <[EMAIL PROTECTED]>   
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#499196: ITP: libimage-science-ruby -- Clean Ruby library to provide simple transformations on images

2008-09-16 Thread Gunnar Wolf 
Package: wnpp
Severity: wishlist
Owner: Gunnar Wolf <[EMAIL PROTECTED]>


* Package name: libimage-science-ruby
  Version : 1.1.3
  Upstream Author : Ryan Davis <>
* URL : http://seattlerb.rubyforge.org/ImageScience.html
* License : MIT/X
  Programming Lang: Ruby
  Description : Clean Ruby library to provide simple transformations on 
images

ImageScience is a clean Ruby library allowing for simple
transformations on images, mainly geared towards generating thumbnails
- The provided functions aim at scaling and cropping images.

Emphasis is made on keeping the code as lean as possible (at less than
200 LoC), and on correctness to avoid memory leaks and similar
problems that often accompany similar libraries.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Headsup: ncurses soname bump 5 to 6

2008-09-16 Thread Adam Majer 

Steve Langasek wrote:

On Tue, Sep 16, 2008 at 09:21:44PM +0200, Daniel Baumann wrote:


There is no hurry, but please start using soname-independent
build-depends on ncurses as 'libncurses-dev | libncurses5-dev' in your
next uploads.


Does this mean it /can't/ be handled with binNMUs because you're changing
the -dev package name?


Daniel probably meant "it could be handled by binNMUs" provided people 
upload their package(s) with the new build-depends before the transition 
starts.


- Adam


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Xen status in lenny?

2008-09-16 Thread Bastian Blank 
On Tue, Sep 16, 2008 at 10:32:49PM +0200, Jan Wagner wrote:
> [Option 1-5] (Option 6 / SLES's 2.6.26 mentioned later in thread by Moritz)

Please show it. SLES 11 ships 2.6.25.

Bastian

-- 
Men of peace usually are [brave].
-- Spock, "The Savage Curtain", stardate 5906.5


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: nut package freeze exception request (dependency based boot)

2008-09-16 Thread Adeodato Simó 
* Anton Martchukov [Tue, 16 Sep 2008 13:00:42 +0400]:

> Hello Debian Release Team,

> could you enable freeze exception for nut package?

> There is a small change - removed symlink to init.d script
> that fixes bug when nut package prevented insserv from
> enabling dependency based boot:

> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492734

> Dependency based boot is the release goal, so I think that
> freeze exception would be appropriate.

Wow. I'm not very knowledgeable on the matter, but after looking a bit
around, I would say it is not okay to just remove that symlink.

There's an "ups-monitor" virtual package defined in Policy, and
apparently all packages providing it ship /etc/init.d/ups-monitor, and
searching on the net one can find various bits of documentation
referring to that file.

I'm CC'ing -devel (and dropping -release via a Bcc) to see if there's
somebody around who knows more about this.

If nobody is, my take is that this nut upload is gratuitously breaking a
traditional interface, and I don't think that should be done just to
please insserv. Looks to me like insserv should be fixed instead...
(CC'ing maintainer as well.)

-- 
Adeodato Simó dato at net.com.org.es
Debian Developer  adeodato at debian.org
 
- Are you sure we're good?
- Always.
-- Rory and Lorelai


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Josselin Mouette 
Le mardi 16 septembre 2008 à 13:05 -0500, Manoj Srivastava a écrit :
> allow avahi_t httpd_t:dbus send_msg;
> allow hald_t pcscd_t:dbus send_msg;
> allow httpd_t avahi_t:dbus send_msg;
> allow httpd_t system_dbusd_t:dbus send_msg;
> allow insmod_t lib_t:file execute_no_trans;
> allow mdadm_t device_t:blk_file { read ioctl };
> allow mdadm_t file_t:dir search;
> allow pcscd_t hald_t:dbus send_msg;
> allow pcscd_t system_dbusd_t:dbus send_msg;
> 
> I have not tried to boot into enforcing mode, but I am not sure
>  which of these are actually needed, and which can safely be denied
>  anyway.

If any of these are useless, why don’t you file corresponding bugs?

-- 
 .''`.
: :' :  We are debian.org. Lower your prices, surrender your code.
`. `'   We will add your hardware and software distinctiveness to
  `-our own. Resistance is futile.


signature.asc
Description: Ceci est une partie de message	numériquement signée

Re: people.debian.org to move to ravel

2008-09-16 Thread Davide G. M. Salvetti 
>  PP == Peter Palfrader [2008-8-27]

[...]

PP> This machine, ravel.debian.org, will become the new
PP> people.debian.org machine, providing general shell services to DDs
PP> and the http://people.debian.org/~/ webpages.

Hi,

as of now gluck.debian.org handles mail for a few *.debian.net domains
of some of us (klecker used to before gluck, see
 for the
original announcement and gluck:/etc/exim/bsmtp for the current list).
We fetch that mail via bsmtp (over ssh), exim cares to spool it in
~/bsmtp/ for us.

Since you plan to restrict access on gluck, I thought ravel would have
carried on this service.

I added 'dnsZoneEntry: salve IN MX 0 ravel.debian.org.' to our LDAP
database to test if ravel is already set up to deliver mail for such
domains via bsmtp and tried:
--8<---cut here---start->8---
[EMAIL PROTECTED] host -t mx salve.debian.net
salve.debian.net mail is handled by 0 ravel.debian.org.
[EMAIL PROTECTED] date | mail [EMAIL PROTECTED]
--8<---cut here---end--->8---
I got a
--8<---cut here---start->8---
Remote MTA ravel.debian.org: SMTP diagnostic: 550 relay not permitted
--8<---cut here---end--->8---
back.

What are your (DSA) plans about this matter?

-- 
Thanks, Davide


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Xen status in lenny?

2008-09-16 Thread Jan Wagner 
Hi there,

On Tuesday 15 July 2008 16:02, Bastian Blank wrote:
> On Thu, Jul 10, 2008 at 09:53:25PM +0200, Lucas Nussbaum wrote:
> > What are the plans for Xen for lenny? Is this situation likely to change
> > before the release?
>
> As we have seen, there is no real plan. So lets summarize the
> possibilities:
>
[Option 1-5] (Option 6 / SLES's 2.6.26 mentioned later in thread by Moritz)

> Conclusion
> ==
> Xen got a often used technique in the last two years. All of the large
> distributions got some sort of support for it. Debian Etch have full
> support for it. There was several requests of various people so I think
> not providing at least a minimal support in Lenny is wrong.
>
> I think option 4 would be the solution which produces the least amount
> of extra work and provides our users with support for there systems. I
> would provide the necessary packages but I want an okay for that
> solution from the security and the release team.

since we have rolled out over 50 dom0 with etch, we are really interested into 
having xen dom0 support in lenny. Are there any further decisions made? We 
choosed debian, cause we thought that Xen support won't be droped in the next 
stable release and there is no influence by commercial interests into this.

Thanks for your work and please keep me (and all the others, that seems 
interested by looking into this thread) updated.

With kind regards, Jan.
-- 
Never write mail to <[EMAIL PROTECTED]>, you have been warned!
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GIT d-- s+: a- C+++ UL P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
--END GEEK CODE BLOCK--


pgphUyP4fFVw1.pgp
Description: PGP signature

Re: Should selinux be standard?

2008-09-16 Thread Stephen Gran 
This one time, at band camp, Josselin Mouette said:
> Le dimanche 14 septembre 2008 à 21:32 +1000, Russell Coker a écrit :
> > For a typical desktop system (such as my EeePC) a default installation of 
> > SE 
> > Linux in Lenny works for most things.  
> 
> What do you mean by "most things"? What is not working?

Sep 15 22:04:17 spartacus kernel: [   17.148409] type=1400 
audit(1221512644.263:3): avc:  denied  { execute_no_trans } for  pid=1497 
comm="sh" path="/lib/alsa/modprobe-post-install" dev=hda1 ino=133937 
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lib_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   24.378414] type=1400 
audit(1221512651.107:4): avc:  denied  { unlink } for  pid=2141 comm="mount" 
name="blkid.tab.old" dev=hda1 ino=472430 scontext=system_u:system_r:mount_t:s0 
tcontext=system_u:object_r:etc_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   26.578258] type=1400 
audit(1221512653.313:5): avc:  denied  { append } for  pid=1215 comm="ifup" 
name="ifstate" dev=hda1 ino=472430 
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   26.884443] type=1400 
audit(1221512653.621:6): avc:  denied  { unlink } for  pid=1755 comm="ifup" 
name="ifstate" dev=hda1 ino=472430 
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [   27.648008] SELinux: initialized (dev 
rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Sep 15 22:04:30 spartacus kernel: [   43.593733] type=1400 
audit(1221512670.315:8): avc:  denied  { search } for  pid=3230 comm="ntpd" 
name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [   43.617789] type=1400 
audit(1221512670.352:9): avc:  denied  { write } for  pid=3230 comm="ntpd" 
name="/" dev=tmpfs ino=8681 scontext=system_u:system_r:ntpd_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:04:30 spartacus kernel: [   43.641627] type=1400 
audit(1221512670.376:10): avc:  denied  { add_name } for  pid=3230 comm="ntpd" 
name="ntpGXDttA" scontext=system_u:system_r:ntpd_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500825] type=1400 
audit(1221512731.235:16): avc:  denied  { search } for  pid=3724 
comm="dhclient-script" name="/" dev=tmpfs ino=8681 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500865] type=1400 
audit(1221512731.235:17): avc:  denied  { write } for  pid=3724 
comm="dhclient-script" name="/" dev=tmpfs ino=8681 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500897] type=1400 
audit(1221512731.235:18): avc:  denied  { add_name } for  pid=3724 
comm="dhclient-script" name="dhclient-script.debug" 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=dir
Sep 15 22:05:31 spartacus kernel: [  104.500953] type=1400 
audit(1221512731.235:19): avc:  denied  { create } for  pid=3724 
comm="dhclient-script" name="dhclient-script.debug" 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=file
Sep 15 22:05:31 spartacus kernel: [  104.501021] type=1400 
audit(1221512731.235:20): avc:  denied  { append } for  pid=3724 
comm="dhclient-script" name="dhclient-script.debug" dev=tmpfs ino=12040 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=file
Sep 15 22:05:31 spartacus kernel: [  104.505653] type=1400 
audit(1221512731.239:21): avc:  denied  { getattr } for  pid=3728 comm="env" 
path="/tmp/dhclient-script.debug" dev=tmpfs ino=12040 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527213] type=1400 
audit(1221512736.259:22): avc:  denied  { read } for  pid=3772 
comm="start-stop-daem" name="ntpd.pid" dev=hda3 ino=239075 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527300] type=1400 
audit(1221512736.259:23): avc:  denied  { getattr } for  pid=3772 
comm="start-stop-daem" path="/var/run/ntpd.pid" dev=hda3 ino=239075 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:object_r:ntpd_var_run_t:s0 tclass=file
Sep 15 22:05:36 spartacus kernel: [  109.527402] type=1400 
audit(1221512736.259:24): avc:  denied  { kill } for  pid=3772 
comm="start-stop-daem" capability=5 scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:system_r:dhcpc_t:s0 tclass=capability
Sep 15 22:05:36 spartacus kernel: [  109.527470] type=1400 
audit(1221512736.259:25): avc:  denied  { signal } for  pid=3772 
comm="start-stop-daem" scontext=system_u:system_r:dhcpc_t:s0 
tcontext=system_u:system_r:n

Re: Should selinux be standard?

2008-09-16 Thread Franklin PIAT 
On Tue, 2008-09-16 at 13:05 -0500, Manoj Srivastava wrote:
> On Tue, Sep 16 2008, Julien Cristau wrote:
> 
> > I just tried booting with selinux=1 on my laptop.  I see errors from mpd
> > related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> > from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> > from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> > /proc/net, creating a socket and doing anything with it, then some more
> > errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> > it's not allowed to connect to 11371/tcp, firefox, or gconfd-2.  Uptime
> > is about 20 minutes, and dmesg|grep -c 'avc:  denied' returns 73.
> > Looks like it's not ready for prime time to me.
> 
> Hmm.

My own laptop, installed 2007-02.


$dpkg -l | egrep '^ii' | wc -l
1964

$uptime 
21:07:07 up 3 days, 9 min,  9 users,  load average: 0.40, 0.19, 0.23

$cat /var/log/messages{,.0,.1} |audit2allow | egrep -v '(^$)|(^#)'|wc -l
46

Not so bad for an old laptop, with many non-standard settings, and
probably some file that are improperly tagged.

$cat /var/log/messages{,.0,.1} | audit2allow | egrep -v '(^$)|(^#)' 

allow avahi_t httpd_t:dbus send_msg;
allow crond_t file_t:file { read getattr };
allow cupsd_t dhcpc_var_run_t:file { read getattr };
allow dhcpc_t avahi_var_run_t:dir { write remove_name search getattr add_name };
allow dhcpc_t avahi_var_run_t:file { write rename create unlink getattr };
allow dhcpc_t etc_t:file { execute execute_no_trans };
allow dhcpc_t lib_t:file execute_no_trans;
allow gpm_t self:process signull;
allow hald_t apm_bios_t:chr_file { read ioctl };
allow hald_t self:capability ipc_lock;
allow hald_t self:dir mounton;
allow hald_t self:process setrlimit;
allow hald_t tmpfs_t:blk_file { read write create };
allow hald_t tmpfs_t:dir { write add_name };
allow hald_t tmpfs_t:filesystem { mount unmount };
allow hald_t xdm_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t dhcpc_var_run_t:file { read getattr };
allow httpd_t httpd_modules_t:lnk_file read;
allow httpd_t system_dbusd_t:dbus send_msg;
allow httpd_t system_dbusd_t:unix_stream_socket connectto;
allow httpd_t system_dbusd_var_run_t:dir search;
allow httpd_t system_dbusd_var_run_t:sock_file write;
allow httpd_t usr_t:file { execute execute_no_trans };
allow httpd_t var_lib_t:dir { create rmdir };
allow httpd_t var_lib_t:file { write append setattr };
allow httpd_t var_t:dir read;
allow httpd_t var_t:file { read getattr ioctl };
allow httpd_t var_t:lnk_file read;
allow inetd_t var_lib_t:dir search;
allow insmod_t device_t:dir { write add_name };
allow insmod_t lib_t:file execute_no_trans;
allow insmod_t self:capability mknod;
allow ldconfig_t usr_t:file read;
allow logrotate_t unconfined_home_dir_t:dir search;
allow mount_t dosfs_t:dir search;
allow mount_t etc_t:file { write append };
allow rpcd_t proc_net_t:lnk_file read;
allow system_dbusd_t inotifyfs_t:dir read;
allow udev_t etc_runtime_t:file { unlink append };
allow udev_t usr_t:file execute;
allow udev_t var_log_t:file read;
allow unconfined_t lib_t:file execmod;
allow unconfined_t self:process { execstack execmem };
allow vbetool_t console_device_t:chr_file { read write };
allow xdm_t hald_t:dbus send_msg;

> I have not tried to boot into enforcing mode, but I am not sure
>  which of these are actually needed, and which can safely be denied
>  anyway. 

me neither.

>  So, 9 missing lines in policy, out of which 6 are about dbus.
>  Russell is probably way better than I to try to resolve these issues,
>  but I'll see what I can do to help.

The entries related to apache are probably either related to my own
specific settings, or related to libapache2-mod-dnssd.
Most of the httpd entries are probably specific for my configuration.

Franklin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Headsup: ncurses soname bump 5 to 6

2008-09-16 Thread Steve Langasek 
On Tue, Sep 16, 2008 at 09:21:44PM +0200, Daniel Baumann wrote:

> just a quick note: after lenny, ncurses will bump soname major from 5 to
> 6 in order to make mouse wheels work. The transition will be big, but
> can be entirely handled with binNMUs only and this is what this mail is
> about:

> There is no hurry, but please start using soname-independent
> build-depends on ncurses as 'libncurses-dev | libncurses5-dev' in your
> next uploads.

Does this mean it /can't/ be handled with binNMUs because you're changing
the -dev package name?

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
[EMAIL PROTECTED] [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Headsup: ncurses soname bump 5 to 6

2008-09-16 Thread Daniel Baumann 
Hi,

just a quick note: after lenny, ncurses will bump soname major from 5 to
6 in order to make mouse wheels work. The transition will be big, but
can be entirely handled with binNMUs only and this is what this mail is
about:

There is no hurry, but please start using soname-independent
build-depends on ncurses as 'libncurses-dev | libncurses5-dev' in your
next uploads.

Thanks,
Daniel

-- 
Address:Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:  [EMAIL PROTECTED]
Internet:   http://people.panthera-systems.net/~daniel-baumann/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Manoj Srivastava 
On Tue, Sep 16 2008, Julien Cristau wrote:

> I just tried booting with selinux=1 on my laptop.  I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2.  Uptime
> is about 20 minutes, and dmesg|grep -c 'avc:  denied' returns 73.
> Looks like it's not ready for prime time to me.

Hmm.
__> dpkg -l | egrep '^ii' | wc -l
4431
__> uptime
 12:56:01 up  1:31,  2 users,  load average: 0.46, 0.28, 0.20
__> audit2allow < /var/log/messages | egrep -v '(^$)|(^#)'  | wc -l
9
__>  audit2allow < /var/log/messages | egrep -v '(^$)|(^#)' 
allow avahi_t httpd_t:dbus send_msg;
allow hald_t pcscd_t:dbus send_msg;
allow httpd_t avahi_t:dbus send_msg;
allow httpd_t system_dbusd_t:dbus send_msg;
allow insmod_t lib_t:file execute_no_trans;
allow mdadm_t device_t:blk_file { read ioctl };
allow mdadm_t file_t:dir search;
allow pcscd_t hald_t:dbus send_msg;
allow pcscd_t system_dbusd_t:dbus send_msg;

I have not tried to boot into enforcing mode, but I am not sure
 which of these are actually needed, and which can safely be denied
 anyway. So, 9 missing lines in policy, out of which 6 are about dbus.
 Russell is probably way better than I to try to resolve these issues,
 but I'll see what I can do to help.

I have apache2, I run emacs (an OS by itself), I run iceweasel
 in a 32-bit chroot. I have modified udev to automagically mount my
 ipod/rockbox.

I humbly posit that this is pretty close to working now (for my
 development box, in default mode).

manoj
-- 
"Go! And never darken my towels again!" --Groucho Marx, "Duck Soup".
Manoj Srivastava <[EMAIL PROTECTED]>   
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Martin Orr 
On 16/09/08 13:44, Holger Levsen wrote:
> On Tuesday 16 September 2008 13:40, Reinhard Tartler wrote:
>> so an `ls -Z` does not work for you?
> 
> It doesnt do anything useful here.
> 
> I'm all for enabling selinux per default, but I think it should be done, when 
> it works and such a change shouldnt be done so close before a release. The 
> point is, that libselinux1 is installed everywhere, but not used/enabled on 
> default. So whats the point in installing it everywhere?

I can't see why you're complaining about libselinux1 - it's just a library,
and has to be installed everywhere since e.g. coreutils, sysvinit are linked
against it.  Like many libraries, it is quite happy to sit there doing
nothing.  The question is about installing policycoreutils and
selinux-refpolicy-default.

Was anyone suggesting enabling selinux by default for lenny?  That doesn't
seem sensible at this stage in the release cycle.  Given that, it probably
makes sense to reduce the policy priority, but with the intention of raising
it again after lenny is released and making "SELinux enabled by default" a
release goal for squeeze.

Best wishes,

-- 
Martin Orr


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Felipe Sateler 
Manoj Srivastava wrote:

> Firstly, what policy are you using? Has you machine been updated
> to actually compile/load the policy? (Like a number of packages,
> SELinux does need some configuration).

I guess the argument could be made that a package that can't autoconfigure
itself for some basic functionality doesn't belong in a standard install.

-- 

  Felipe Sateler


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Should selinux be standard?

2008-09-16 Thread Manoj Srivastava 
On Tue, Sep 16 2008, Julien Cristau wrote:

> I just tried booting with selinux=1 on my laptop.  I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add connecting to the ssh agent socket, from dhclient3 reading
> /proc/net, creating a socket and doing anything with it, then some more
> errors from bind startup, postfix startup, mutt, gpgkeys_hkp (apparently
> it's not allowed to connect to 11371/tcp, firefox, or gconfd-2.  Uptime
> is about 20 minutes, and dmesg|grep -c 'avc:  denied' returns 73.
> Looks like it's not ready for prime time to me.

Firstly, what policy are you using? Has you machine been updated
 to actually compile/load the policy? (Like a number of packages,
 SELinux does need some configuration).

Secondly, if you are indeed using selinux-policy-default, and
 have a properly labelled file system, and are still experiencing
 problems, have you filed a bug? At the very least, people who see avc
 denials on a properly configured machine should send me and russell a
 copy of their warning messages;  this will help ensure that these bugs
 go away.

Lastly, even running in permissive mode, since the policy is not
 yet perfect, if the  volume of messages is reduced, leeping an eye on
 xconsole and the AVC messages is a useful indication of unusual
 activity on your machine.

Yes, I call the permissinve mode AVC denial messages a useful
 feature, and audit2allow enables people to locally shut up spurious AVC
 messages so the real ones do not get lost in the forest, until the
 default policy is updated in  response to the bug report filed.

At this point, we are so close -- and I would rather go ahead
 and finish polishing off the remaining lacunae, than regress to not
 having SELinux at all.

While we have not reached  the level required for strict policy,
 I think we are close to having targeted policy work out of the box. The
 last bit of work to make it work for lenny can be done, especially if
 people help identify the problem  areas.

manoj

-- 
Q: Are we not men? A: We are Vaxen.
Manoj Srivastava <[EMAIL PROTECTED]>   
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]