Package: wnpp
Severity: wishlist
Owner: Thomas Goirand
* Package name: puppet-module-puppetlabs-selinux-core
Version : 1.0.4
Upstream Author : Puppet Labs INC.
* URL : https://github.com/puppetlabs/puppetlabs-selinux_core
* License : Apache-2.0
Programming
On Fri, 17 Apr 2015 13:50:26 +0200
Tobias Bengfort wrote:
> Hi,
>
> I recently updated my system to jessie. I noticed that some packages
> were gone, notably selinux-policy-default. As far as I understand they
> have no chance of coming back in because jessie is already fr
Hi,
I recently updated my system to jessie. I noticed that some packages
were gone, notably selinux-policy-default. As far as I understand they
have no chance of coming back in because jessie is already frozen. So do
I understand correctly that SELinux will not be included in the upcoming
version
Package: wnpp
Severity: wishlist
Owner: Victor Porton
I want to package this software along with some system scripts (to help
installation of other packages) I am going to create:
https://bitbucket.org/jwcarter/secilc
Please take into account, it is my first package
to be put into Debian.
Wel
so thanks for the clarification.
Your proposal seems fine then.
For users, which don't have selinux enabled (which should be the vast
majority), the directory will be removed on upgrades.
And, as you said, wheezy already switched to the new location, I assume
selinux users with a standard s
zy machine is still using the old mountpoint that
> > might be for perfectly valid reasons and the package shouldn't
> > touch it. A discussion has already been initiated on the bug
> > report, see: #658070.
>
> I think I mentioned that before: imho it would be nice to c
ezy machine is still using the old mountpoint that might be for
> > perfectly valid reasons and the package shouldn't touch it.
> > A discussion has already been initiated on the bug report, see: #658070.
> I think I mentioned that before: imho it would be nice to clean up
> /s
On May 07, Michael Biebl wrote:
> I think I mentioned that before: imho it would be nice to clean up
> /selinux on upgrades automatically *if* /selinux is not in use, ie. no
> selinuxfs mounted there.
Agreed.
--
ciao,
Marco
signature.asc
Description: Digital signature
; perfectly valid reasons and the package shouldn't touch it.
> A discussion has already been initiated on the bug report, see: #658070.
I think I mentioned that before: imho it would be nice to clean up
/selinux on upgrades automatically *if* /selinux is not in use, ie. no
selinuxfs mounte
Hello,
I'm planning to upload a new version of libselinux in unstable
soon. This new version is dropping the /selinux directory that was used
in the past as the selinuxfs mountpoint.
Since Wheezy, the library is mounting selinuxfs under /sys/fs/selinux,
and falling back to /selinux if the f
On Thu, Mar 08, 2012 at 08:13:10PM +0100, Laurent Bigonville wrote:
> On SELinux enabled system, login applications need to call selinux pam
> module during the opening of the session to correctly set the user's
> security context. In Debian the "login" service is already d
Hi,
On SELinux enabled system, login applications need to call selinux pam
module during the opening of the session to correctly set the user's
security context. In Debian the "login" service is already doing this,
but desktop managers are not.
I would propose to add the nee
in
>> Pre-Depends. Which is why I am starting discussion on d-d. Personally
>> I do not care a lot. I am not using SElinux but the feature has been
>> explicitely requested by a user in #572809.
>
> This is not a "new pre-depends" strictly speaking,
I thought the poin
On Sat, 3 Apr 2010, Andreas Metzler wrote:
> Hello,
>
> upstream has included SEliux support in GNU findutils 4.5.7, i.e.:
>
>-context pattern
> (SELinux only) Security context of the file matches glob pat-
> tern.
>
Hello,
upstream has included SEliux support in GNU findutils 4.5.7, i.e.:
-context pattern
(SELinux only) Security context of the file matches glob pat-
tern.
-printf format
%Z (SELinux only) file's security context.
This req
On Friday 15 May 2009 06:26:00 Jiří Paleček wrote:
> > I am not yet comfortable with my security policy changing just
> > because a package is installed. So far, even the policy packages do not
> > install the new policy, letting the security officer audit and manually
> > install policy
Hello,
I am trying to find docs teaching how to package (The Right Debian Way)
an application SELinux custom policy.
Could you point some urls to study this packaging procedure (policy, dev
helper scripts, etc)?
At the [1], I found somewhat vague instructions (for a newbie) regarding
custom
On Tue, 05 May 2009 18:20:15 +0200, Manoj Srivastava
wrote:
On Mon, May 04 2009, Riku Voipio wrote:
On Mon, Apr 06, 2009 at 10:13:39PM -, Jiri Palecek wrote:
I'd like to package the selinux tests from the ltp test suite. The
tests
need a special selinux policy to be loaded and
On Mon, May 04 2009, Riku Voipio wrote:
> On Mon, Apr 06, 2009 at 10:13:39PM -, Jiri Palecek wrote:
>> I'd like to package the selinux tests from the ltp test suite. The tests
>> need a special selinux policy to be loaded and some files to be relabeled.
>> I have
On Mon, Apr 06, 2009 at 10:13:39PM -, Jiri Palecek wrote:
> I'd like to package the selinux tests from the ltp test suite. The tests
> need a special selinux policy to be loaded and some files to be relabeled.
> I haven't found any standard way of packaging
Hello,
I'd like to package the selinux tests from the ltp test suite. The tests
need a special selinux policy to be loaded and some files to be relabeled.
I haven't found any standard way of packaging this, so I made an
experimental package (see [1]; it sort of works - not comple
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
tags #514061 + help
thanks
Hello list,
I am also an SELinux newbie and hope here is someone who knows how to
fix this. :-)
Please keep the BTS in CC, thanks.
- Original-Nachricht
Betreff: [Pkg-fglrx-devel] Bug#514061: Workaround
[Kurt Roeckx]
> I don't see why you reassign it back to the ntp package. I'm not
> sure what you think has changed that it should be reassigned.
I guess you did not read the message in the reassign email then:
ntp-server was merged with ntp. Reassign there instead of general.
Not sure if it
> > reassign 261213 ntp
> Bug#261213: ntp-server: Chdir to / in cron job for selinux
I don't see why you reassign it back to the ntp package. I'm not sure
what you think has changed that it should be reassigned. I'm also not
sure why it got cloned in the first place.
Python
Description : Tool to help troubleshoot SELinux problems (plugins)
Tools to help diagnose SELinux problems. When AVC messages
are generated an alert can be generated that will give information
about the problem and help track its resolution. Alerts can be configured
to user preference. The same
) a default installation
> > > of SE Linux in Lenny works for most things.
> >
> > What do you mean by "most things"? What is not working?
>
> I just tried booting with selinux=1 on my laptop. I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3,
On i3
On Tue, Oct 07, 2008 at 06:38:12AM +1000, Russell Coker wrote:
> On Tuesday 16 September 2008 04:14, Bastian Blank <[EMAIL PROTECTED]> wrote:
> > This
> > cost me over one hour as bind lacks proper error messages in this code
> > path.
>
> Has that bug in bind (inadequate error reporting) been fix
ries written and packaged
by people who are more concerned about a possible 15% performance increase
than a proven security risk.
There is a SE Linux boolean that you can set to enable execmod access, reduce
the security of your system, and get a performance benefit for some
operations.
>
On Tuesday 16 September 2008 04:14, Bastian Blank <[EMAIL PROTECTED]> wrote:
> This
> cost me over one hour as bind lacks proper error messages in this code
> path.
Has that bug in bind (inadequate error reporting) been fixed?
--
[EMAIL PROTECTED]
http://etbe.coker.com.au/ My Blog
http
On Wed, Sep 17 2008, Vincent Danjean wrote:
> Manoj Srivastava wrote:
>> I think we are have a low enough avc denial rates that
>> unconfined/permissive already provides value. We are pretty close to
>> achieving unconfined/enforcing fo Lenny, and with help from people I
>> think we can
Vincent Danjean wrote:
...
> But if selinux is installed by default on all system, then I really
> thing
> that a basic documentation for Debian administrators (I mean people
> managing machines with the Debian distribution on it, not admin of
> official Debian machines) MUST b
ct/enforcing should
> be doable for squeeze.
One thing that I really miss is an documentation entry point.
I think I know lots of things about admin, OS, kernel, ... I heard about
SElinux, I know it should improve the security (at least for servers).
From the beginning of this thread, I rea
, but it doesn't look like we're tuned for
> > a normal install just yet.
>
> Well, seems like I reach a different conclusion:
> __> audit2allow <~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
> 13
>
> 13 lines of policy to ge
On Tue, Sep 16 2008, Raphael Geissert wrote:
> There should and will, but only if it used.
> I haven't had neither time nor interest to read the docs to correctly setup
> SELinux. So, the several packages which are installed by default, because
> of priority: standard, are c
Manoj Srivastava wrote:
> On Mon, Sep 15 2008, Raphael Geissert wrote:
>
>> Bastian Blank wrote:
>>
>>> On Mon, Sep 15, 2008 at 06:12:03PM +0200, Josselin Mouette wrote:
>>>> Le lundi 15 septembre 2008 à 10:12 -0500, Manoj Srivastava a écrit :
>>>&
all just yet.
Well, seems like I reach a different conclusion:
__> audit2allow <~/selinux-denials-3.txt | egrep -v '(^$)|(^#)' | wc -l
13
13 lines of policy to get it into enforcing mode, assuming all
of these actions are safe to allow.
--8<---cut he
Le mardi 16 septembre 2008 à 13:05 -0500, Manoj Srivastava a écrit :
> allow avahi_t httpd_t:dbus send_msg;
> allow hald_t pcscd_t:dbus send_msg;
> allow httpd_t avahi_t:dbus send_msg;
> allow httpd_t system_dbusd_t:dbus send_msg;
> allow insmod_t lib_t:file execute_no_trans;
> allow mdadm_t device
-s0:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Sep 15 22:04:17 spartacus kernel: [ 27.648008] SELinux: initialized (dev
rpc_pipefs, type rpc_pipefs), uses genfs_contexts
Sep 15 22:04:30 spartacus kernel: [ 43.593733] type=1400
audit(1221512670.315:8): avc: den
On Tue, 2008-09-16 at 13:05 -0500, Manoj Srivastava wrote:
> On Tue, Sep 16 2008, Julien Cristau wrote:
>
> > I just tried booting with selinux=1 on my laptop. I see errors from mpd
> > related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> > from sudo
On Tue, Sep 16 2008, Julien Cristau wrote:
> I just tried booting with selinux=1 on my laptop. I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add conne
On 16/09/08 13:44, Holger Levsen wrote:
> On Tuesday 16 September 2008 13:40, Reinhard Tartler wrote:
>> so an `ls -Z` does not work for you?
>
> It doesnt do anything useful here.
>
> I'm all for enabling selinux per default, but I think it should be done, when
&g
Manoj Srivastava wrote:
> Firstly, what policy are you using? Has you machine been updated
> to actually compile/load the policy? (Like a number of packages,
> SELinux does need some configuration).
I guess the argument could be made that a package that can't autoconfigure
itself
On Tue, Sep 16 2008, Julien Cristau wrote:
> I just tried booting with selinux=1 on my laptop. I see errors from mpd
> related to /usr/lib/libtheora.so.0.3.3, from xdm starting my X session,
> from sudo reading /etc/resolv.conf, from dmesg reading the system log,
> from ssh-add conne
On Sun, September 14, 2008 12:40, Frans Pop wrote:
> For those reasons I support the suggestion to change the priority of
> SeLinux back to optional.
> We can always discuss returning it to priority standard if/when SeLinux is
> really ready to be not only installed by default, but al
On Sunday 14 September 2008 20:40, Frans Pop <[EMAIL PROTECTED]> wrote:
> Although I agree with your basic question, I do wonder how it can be a
> regression from Etch as selinux was also "priority standard" for Etch.
> It was my impression that selinux installation h
On Sunday 14 September 2008 19:08, Martin Michlmayr <[EMAIL PROTECTED]> wrote:
> I'd like to ask whether selinux should really be installed by default.
> On the Linksys NSLU2, a very popular device with only 32 MB of RAM,
> installing selinux-policy-default takes at leas
Martin Michlmayr wrote:
> I'd like to ask whether selinux should really be installed by default.
> On the Linksys NSLU2, a very popular device with only 32 MB of RAM,
> installing selinux-policy-default takes at least half an hour (with
> heavy swapping) or possibly even more.
On Sunday 14 September 2008, Martin Michlmayr wrote:
> I'd like to ask whether selinux should really be installed by default.
> On the Linksys NSLU2, a very popular device with only 32 MB of RAM,
> installing selinux-policy-default takes at least half an hour (with
> heavy swap
I'd like to ask whether selinux should really be installed by default.
On the Linksys NSLU2, a very popular device with only 32 MB of RAM,
installing selinux-policy-default takes at least half an hour (with
heavy swapping) or possibly even more. This is a major regression
from the inst
On Fri, 21 Mar 2008 19:48:40 +0100, Pierre THIERRY
<[EMAIL PROTECTED]> said:
> Is there available data about the overhead of enforcing various
> SELinux policies?
I do not have data, no, But I recall a talk at the SELinux
symposium a couple of years ago which pegged the o
On Fri, Mar 21, 2008 at 07:48:40PM +0100, Pierre THIERRY wrote:
> Is there available data about the overhead of enforcing various SELinux
> policies?
>
> Quantitatively,
> Pierre
Is this in comparison to 'having SELinux support' which is what I
understand
Hi,
On Fri, 21 Mar 2008 12:52:53 +0100, Václav Ovsík <[EMAIL PROTECTED]> said:
> I have already some open threads over [EMAIL PROTECTED] I hope
> they will continue to some final state. Maybe the discussion about
> SELinux problems can be managed on
> [EMAIL PROTECTED] now.
Is there available data about the overhead of enforcing various SELinux
policies?
Quantitatively,
Pierre
--
[EMAIL PROTECTED]
OpenPGP 0xD9D50D8A
signature.asc
Description: Digital signature
Hi,
On Wed, Mar 19, 2008 at 11:01:40PM -0500, Manoj Srivastava wrote:
> Hi,
>
> As of this writing, all the core SELinux packages in Debian have
> been updated to the latest release earlier this month; and thus are
> fairly up to date.
>
> I have al
b, and
> >> start paying attention to my Debian packages again; so hopefully the
> >> state of SELinux in Debian will improve -- at least, I'll try to be
> >> more reactive in the future.
> >>
> >> anyway, kick the tyres, look at the Debian diffs with re
On Thu, 20 Mar 2008 09:34:38 +0100, Raphael Hertzog <[EMAIL PROTECTED]> said:
> Hi,
> On Wed, 19 Mar 2008, Manoj Srivastava wrote:
>> I am beginning to come back from a deadline crunch on my day job, and
>> start paying attention to my Debian packages again; so hopefully
Hi,
On Wed, 19 Mar 2008, Manoj Srivastava wrote:
> I am beginning to come back from a deadline crunch on my day
> job, and start paying attention to my Debian packages again; so
> hopefully the state of SELinux in Debian will improve -- at least, I'll
> try to be mor
Hi,
As of this writing, all the core SELinux packages in Debian have
been updated to the latest release earlier this month; and thus are
fairly up to date.
I have also merged SVN HEAD of refpolicy into the Debian
package, and thus the refpolicy packages uploaded tonight will
On Wed, Feb 06, 2008 at 12:27:45PM +0100, maximilian attems wrote:
>
> > The priority of selinux packages was changed from optional to standard,
> > fairly shortly before the release of Etch.
> >
> > I propose to revert that change before Lenny. The basic reason is th
In how far are other tasks more or less user-oriented?
Quite far. The point of tasks presented to users during an install run
is being understandable by the very average user. The only way to give
a good idea of what SELinux is is more or less using "Security
enhanced system"whic
volved.
But as long as you are around and updating the packages it's not at all
important - you're doing the job, so you get to decide. EOD.
P.S. If anyone wants to adopt the "selinux-basics" package, go ahead.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org)
On Thu, Feb 07, 2008 at 02:00:41PM +0100, maximilian attems wrote:
> > I disagree that simply willingness can nack Frans' request.
> > If the current situation is "bad", and I assume that trusting Frans'
> > words, and it has been like that for long, then the request should be
> > fulfilled now. La
On Thu, Feb 07, 2008 at 01:34:11PM +0100, Stefano Zacchiroli wrote:
> On Wed, Feb 06, 2008 at 06:49:20PM +0100, maximilian attems wrote:
> > but currently willing to work on i'd nack fjp requests.
> > of course if no progress has been made in a month,
> > his request is more then reasonable.
>
> I
On Wed, Feb 06, 2008 at 06:49:20PM +0100, maximilian attems wrote:
> but currently willing to work on i'd nack fjp requests.
> of course if no progress has been made in a month,
> his request is more then reasonable.
I disagree that simply willingness can nack Frans' request.
If the current situat
On Thu, Feb 07, 2008 at 04:34:58AM -0600, Manoj Srivastava wrote:
>..
> Well, don't bother with the SELinux packages; most of them are
> already in Incoming, though I am not packaging straight out of SVN yet.
> I'm sticking to the released versions, until I can see
On Thu, 7 Feb 2008 10:10:19 +0100, Václav Ovsík <[EMAIL PROTECTED]> said:
> On Wed, Feb 06, 2008 at 11:43:54PM -0600, Manoj Srivastava wrote:
>> I don't think Lenny is in shape for a release either. It took me
>> about a day to get most SELinux packages back up to
On Wed, Feb 06, 2008 at 11:43:54PM -0600, Manoj Srivastava wrote:
> I don't think Lenny is in shape for a release either. It took
> me about a day to get most SELinux packages back up to date -- which
> means we could have them updated anytmime in the last few months, if
On Thu, 7 Feb 2008 07:02:40 +0100, Christian Perrier <[EMAIL PROTECTED]> said:
> I slightly disagree. Not that I have doubts about your commitment, but
> this entire discussion showed that SELinux is, right now, not ready
> for being included in default installs. As D-I is p
On Thu, 7 Feb 2008, Christian Perrier wrote:
Possible alternative: create a tasksel's task to include it, which
would make testing of installs with SELinux by default easier.
I would be in great favour of this.
Being
something not really end user-oriented, that would have to be a
&q
entire discussion showed that SELinux is, right now, not ready
for being included in default installs. As D-I is preparing a beta
release, it could be better to downgrade selinux stuff to optional
before that release.
It can still be reactivated later in case the progress you bring
proves to b
On Wed, 06 Feb 2008 00:49:01 +0100, Erich Schubert <[EMAIL PROTECTED]> said:
> Hello Frans, Hello fellow DDs, Yes, the SELinux stuff doesn't seem to
> have any currently active developers. I haven't heard anything from
> Manoj in months.
I haven'
On Wed, 6 Feb 2008 12:27:45 +0100, maximilian attems <[EMAIL PROTECTED]> said:
> so asking if the SELinux team is ok with adding me as co-maintainer?
> thanks Erich for your concise posting on where the work needs to be
> picked up!
The place we need most work is
1)
On Tue, 5 Feb 2008 23:19:14 +0100, Frans Pop <[EMAIL PROTECTED]> said:
> The priority of selinux packages was changed from optional to
> standard, fairly shortly before the release of Etch.
> I propose to revert that change before Lenny. The basic reason is that
> the sel
Hi everyone,
There is no real "SELinux team" anymore that could say yes or no to
anything I figure. The SELinux people at Debian were mostly Manoj, RJC
and myself. I havn't heard anything from Manoj in months, I'm not able
to do any actual SELinux work anymore and while RJC
On Wed, 06 Feb 2008, Stefano Zacchiroli wrote:
> On Wed, Feb 06, 2008 at 12:27:45PM +0100, maximilian attems wrote:
> > I'd like to work on SELinux packages and bugs.
>
> That's wonderful, thanks for your help offering!
>
> Still, if I'm interpreting cor
Hi,
I'm not DD, but I'm very interested into SELinux on Debian (but must to
say - not a guru for SELinux yet :).
I'm experimenting with latest SELinux code on Etch, so if this staff can
be worth for anyone...
http://linux.i.cz/debian/dists/selinux-etch/
Packages are a bit hairy
Il giorno Wed, 6 Feb 2008 12:27:45 +0100
maximilian attems <[EMAIL PROTECTED]> ha scritto:
>
> > The priority of selinux packages was changed from optional to standard,
> > fairly shortly before the release of Etch.
> >
> > I propose to revert that change befor
On Wed, Feb 06, 2008 at 12:27:45PM +0100, maximilian attems wrote:
> I'd like to work on SELinux packages and bugs.
That's wonderful, thanks for your help offering!
Still, if I'm interpreting correctly Frans' and Erich's mails, the
*current* status of SELinux in Debia
> The priority of selinux packages was changed from optional to standard,
> fairly shortly before the release of Etch.
>
> I propose to revert that change before Lenny. The basic reason is that
> the selinux packages have basically been unmaintained since the release
> of
developer share, but I can't tell you where people are going to
> instead. Ubuntu didn't recently strike me as being more attractive, and
> their SELinux and AppArmor stuff is as outdated/stalled as ours.
*cough*
https://lists.ubuntu.com/archives/ubuntu-hardened/2008-February/00028
I agree. Regarding the installed size, on my not-so-barebone KDE lenny
PC (1067 packages installed), installing standard selinux packages would
require 40 MB more. Systems with old HDD-s and miniature systems could
be bothered.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of
Hello Frans, Hello fellow DDs,
Yes, the SELinux stuff doesn't seem to have any currently active
developers. I haven't heard anything from Manoj in months.
I had to stop working on SELinux myself for various reasons; it's not
that things didn't work, but it was a mixture of pers
The priority of selinux packages was changed from optional to standard,
fairly shortly before the release of Etch.
I propose to revert that change before Lenny. The basic reason is that the
selinux packages have basically been unmaintained since the release of
Etch. Because of that current
aving grub options
available for users in lenny -- for example, excerpts from my
grub menu.lst are:
# kopt=root=/dev/hda6 ro vga=791 splash=silent
# alternative=true
# defoptions=selinux=0 audit=0
# altoptions=(recovery mode) selnux=0 audit=0 single
# altoptions=(SELinux) selinux=1 audit=1
On Monday 21 May 2007 22:56, Erich Schubert <[EMAIL PROTECTED]> wrote:
> > How would that method cope with a cross-build? Emdebian has already
> > built some selinux packages from the Debian sources for a rootfs and
>
> We're talking about policy package dependencie
> > nicer to me than computing it on install time.
> > >
> > > That's fine as long as the dependencies don't change due to local
> > > modifications.
>
> > How would that method cope with a cross-build? Emdebian has already
> > built
ong as the dependencies don't change due to local
> > modifications.
> How would that method cope with a cross-build? Emdebian has already
> built some selinux packages from the Debian sources for a rootfs and
We're talking about policy package dependencies, not about debian
On Mon, 21 May 2007 19:08:34 +1000
Russell Coker <[EMAIL PROTECTED]> wrote:
> On Wednesday 09 May 2007 10:34, Erich Schubert <[EMAIL PROTECTED]> wrote:
> > > SELinux policy modules and debian packages, which discovers the
> > > relationships between modules and
On Wednesday 09 May 2007 10:34, Erich Schubert <[EMAIL PROTECTED]> wrote:
> > SELinux policy modules and debian packages, which discovers the
> > relationships between modules and orders the policy load correctly, so
> > that it can pull in any dependency as required.
On Saturday 19 May 2007 02:00, Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> > We'd also need people to work on e.g. an exim and a tomcat policy.
>
> I don't use exim, or tomcat, so this is likely to take me
> longer. The version I uploaded last night now fixes all the problems I
> saw l
On Saturday 19 May 2007 02:08, Manoj Srivastava <[EMAIL PROTECTED]> wrote:
> On Wed, 16 May 2007 22:54:00 +1000, Russell Coker <[EMAIL PROTECTED]> >
>
I have not yet made this change. I have discovered additional
> issues with cron;
> ,
>
> | #= initrc_t ==
>
since I suspect Debian
does far more in the postinst phase than does Fedora.
>> Given the magnitude of these changes, I am planning on trying to do a
>> backport of SELinux packages for Etch, at least, for the current
>> release, before the kernel requirements diverge too much.
uot;
| # comm="cp" exe="" path=""
| allow system_crond_t var_t:file { write create setattr };
`
I want to look into these a bit more before making the changes
in refpolicy.
> fsadm_t asks for security_t because it's linked against libblkid.so.1
&g
.so.1.02.1 which is linked against
libselinux.so.1. The load phase of libselinux.so.1 will access things
under /selinux. I posted to the SE Linux list about this issue last night
but haven't got any replies yet. I suggest no policy changes in this regard
until we get things sorted out corr
Hi Manoj,
Thanks for the work on getting SELinux strict working!
Are you using an initrd and/or udev in your UML?
> I think we need to create debian specific policy changes to
> allow searching /var, /var/lib. and /var/lib/dpkg. We also read file
> permissions on files in /var
Hi,
I have just uploaded a version of refpolicy that has a number of
Debian specific SELinux policy changes. I can now do and aptitude
update, and aptitude upgrade while running strict policy in enforcing
mode in my UML machine. The createfs.sh script now incorporates all
the
On Thu, 10 May 2007 09:13:40 -0500, Manoj Srivastava
<[EMAIL PROTECTED]> said:
> I am attaching the local.te file below for comment; some of
> this should probably go into the refpolicy package, and, eventually,
> upstream.
Would be nice to actually append the file.
m
Hi folks,
I have started in earnest to try and get the current reference
policy to the point where I can create a headless build virtual machine
running strict policy in enforcing mode. At this point, I have a
local.te file that enables me to log in, either as root or as myself,
moun
On Wed, 9 May 2007 13:00:14 +0200, Gabor Gombas <[EMAIL PROTECTED]> said:
> Well, I don't know much about SElinux (yet) but how about storing the
> modified module at a different location (say under
> /var/selinux/local-policy)? That way the update script can be taught
&g
Hi,
> OK. Given a .pp file, how _do_ you detect what version it is?
For installed modules, we can just use "semodule -l"
I havn't tried it, but there is
semanage.semanage_module_get_version
in the python semanage bindings.
I don't know if this only works for installed modules or for pa
1 - 100 of 211 matches
Mail list logo