Re: SE Linux packages
On Thu, Oct 18, 2007 at 10:49:10PM -0300, Felipe Sateler wrote: > Steve Langasek wrote: > > What I'm missing from your mail and blog entry is an explanation of why > > the existing packages in etch don't do the job for letting users run with > > strict > > policy. Is the "semanage user -m" bug the only problem, or are there > > others? > Apparently there's at least the executable stack problem: > http://etbe.coker.com.au/2007/10/10/lintian-and-executable-stacks/ > http://etbe.coker.com.au/2007/10/07/executable-stack-and-shared-objects/ Well, the number of shared libs with this problem is fairly small; indeed, SELinux is not the first kernel security patch to object to them. So that doesn't prevent running an etch system with strict policy, it just prevents a fairly small number of apps from working under strict policy. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SE Linux packages
Steve Langasek wrote: > What I'm missing from your mail and blog entry is an explanation of why > the existing packages in etch don't do the job for letting users run with > strict > policy. Is the "semanage user -m" bug the only problem, or are there > others? Apparently there's at least the executable stack problem: http://etbe.coker.com.au/2007/10/10/lintian-and-executable-stacks/ http://etbe.coker.com.au/2007/10/07/executable-stack-and-shared-objects/ -- Felipe Sateler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SE Linux packages
Hi Russell, On Fri, Oct 19, 2007 at 09:26:18AM +1000, Russell Coker wrote: > deb http://www.coker.com.au etch selinux > The above sources.list line has all the i386 packages needed for running SE > Linux with strict policy on Etch (apart from a minor hack that's needed > in /etc/init.d/udev) as well as a couple of packages that are not strictly > needed but which are really convenient (to solve the executable stack issue). > http://etbe.coker.com.au/2007/10/19/my-se-linux-etch-repository/ > The above URL has my blog post with more information. What I'm missing from your mail and blog entry is an explanation of why the existing packages in etch don't do the job for letting users run with strict policy. Is the "semanage user -m" bug the only problem, or are there others? FWIW, I found in my tests that I couldn't get SELinux to work as expected on my system with the etch packages, because for some reason I had no user_t created for me. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SE Linux packages
deb http://www.coker.com.au etch selinux The above sources.list line has all the i386 packages needed for running SE Linux with strict policy on Etch (apart from a minor hack that's needed in /etc/init.d/udev) as well as a couple of packages that are not strictly needed but which are really convenient (to solve the executable stack issue). http://etbe.coker.com.au/2007/10/19/my-se-linux-etch-repository/ The above URL has my blog post with more information. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
new debian SE Linux packages
I have uploaded a new kernel-patch-2.4-lsm package that implements the V9 policy format and uses /etc/security/selinux to store it. I have also uploaded a matching "selinux" package that will compile to the same format. With the location change the upgrade path will be a lot smoother. If you want to upgrade from V8 policy to V9 then you should first install the "selinux" package and tell it to install the policy (you can't load the policy into a V8 kernel because of format differences). Then at that time you will have both V8 and V9 policy databases installed in different locations, when you boot the kernel will select the appropriate policy database. After that you can compile, install, and boot a kernel for a V9 policy at your leisure (but you will be unable to recompile the policy for the V8 kernel with the latest "selinux" package). Now the problem I have is that I want it to be possible to compile a V8 and a V9 policy database at the same time for easy upgrade support (you don't generally do a quick kernel upgrade on the type of machine you run SE Linux on). What I plan to do is to split out the checkpolicy program (the program that compiles the ASCII policy file into the database) into a separate package with a name based on it's version number. Then it'll be possible to have multiple versions installed at the same time. As this program depends on both the kernel source package and the selinux-small source package in a version-dependant fashion it will be impossible to have multiple versions be buildable by auto-builders. I plan to keep packages of old versions of the checkpolicy package for i386 on my web site. If anyone has a better solution to this then please make suggestions. PS For the Debian people who are getting a bad opinion about SE Linux, most of the strange stuff I discussed before (like diverting start-stop-daemon and hacking devfsd) was backed out long before I started uploading the packages to unstable. -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]