Updated release

Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release contains bug fixes and
additional policy domains and permissions.  The capability module may
now be stacked with SELinux.  The base for SELinux has been updated to
the lsm-2001_10_11 patch against kernel 2.4.12.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Stephen Smalley]

A few additional notes about this release:

1) A new run_init utility program and domain have been created to allow
administrators to run the init scripts with the appropriate security
context (e.g. to restart daemons) in a secure manner.  This was requested
by several SELinux users.  See the updated README, utils/run_init, and
utils/appconfig/initrc_context.

2) Step 4 of the updated README discusses the issues in running X on
SELinux, whether via startx after an ordinary login or via an X display
manager like xdm, gdm, or kdm.  You must uncomment certain allow
statements in the policy to grant the X server the necessary permissions,
as explained in the README.  Mark Westerman's gdm policy has been merged
into the example policy in order to ensure that it is consistent and kept
up-to-date with the rest of the policy, but you will need to obtain his
modified gdm program separately if you want to use gdm on SELinux.

3) Download Options 4 and 5 were revised in response to the feedback from
the Debian packagers.  The SELinux kernel module is provided as a patch
against the LSM kernel patch (which is identical to the lsm-2001_10_11
patch against 2.4.12 from lsm.immunix.org) rather than being part of the
archive.  The module Makefiles have been revised to ensure that the
architecture-specific symbolic links are generated during the normal
'make dep'.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com










--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[J]

On Wed, 2001-10-17 at 08:05, Stephen Smalley wrote:
> 
> A few additional notes about this release:
> 
> 1) A new run_init utility program and domain have been created to allow
> administrators to run the init scripts with the appropriate security
> context (e.g. to restart daemons) in a secure manner.  This was requested
> by several SELinux users.  See the updated README, utils/run_init, and
> utils/appconfig/initrc_context.

If you are not using PAM it didn't compile so I just moved 
#define CONTEXT_FILE .....
out of the ifdef PAM block. in run_init.c  FYI.

Also newrole.c line 412 almost certanly has an error

I changed
if ( !authenticate_via_shadow_passwd(d p_passwd_line) ) {
to
if ( !authenticate_via_shadow_passwd(p_passwd_line) ) {

Also, I have integrated this with a Slackware 8.0 filewall
that is re-exporting nfs filesystems to samba for windows clients.
It is also running dhcp. I have created iptables, dhcpd, and samba
domains. I also had to change a huge amount of file_contexts. It is
working fine as a production server. I am very pleased with selinux.

J


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] Bug fixes for non-PAM newrole and run_init (Was: Re: Updated release)

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1358 bytes --]


On 18 Oct 2001, J wrote:

> If you are not using PAM it didn't compile so I just moved
<snip>
> Also newrole.c line 412 almost certanly has an error
<snip>

Yes, sorry about that.  The fixes for using run_init and newrole when not
using PAM didn't make it in prior to cutting this release.  The attached
patch fixes these errors and makes a few other minor changes.  To apply,
save it to ~/shadow.patch, change to your selinux directory, and run
'patch -p1 < ~/shadow.patch'.  This patch is relative to the sources in
the release.

> Also, I have integrated this with a Slackware 8.0 filewall
> that is re-exporting nfs filesystems to samba for windows clients.
> It is also running dhcp. I have created iptables, dhcpd, and samba
> domains. I also had to change a huge amount of file_contexts. It is
> working fine as a production server. I am very pleased with selinux.

Glad to hear that SELinux is working well for you.  If you are willing to
share your policy customizations, we would be interested in seeing them.
If they aren't too specific to your particular setup, we might roll them
into the example policy in the distribution.  Even if they are very
specific to your setup, it might still be good to make them available for
reference by others, perhaps on the sourceforge selinux project site.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 4168 bytes --]

Index: selinux/utils/newrole/Makefile
diff -u selinux/utils/newrole/Makefile:1.1.1.1 selinux/utils/newrole/Makefile:1.2
--- selinux/utils/newrole/Makefile:1.1.1.1	Wed Jul 18 16:03:30 2001
+++ selinux/utils/newrole/Makefile	Thu Oct 18 18:20:08 2001
@@ -17,8 +17,8 @@
 # End PAM Flags
 
 # Begin SHADOW flags
-# CFLAGS += -Wall -I/usr/local/selinux/include
-# LIBFLAGS += -lcrypt -lsecure
+#CFLAGS += -Wall -I/usr/local/selinux/include -D_GNU_SOURCE
+#LIBFLAGS += -lcrypt -lsecure
 # End SHADOW flags
 
 # Begin Debugging flags
Index: selinux/utils/newrole/newrole.c
diff -u selinux/utils/newrole/newrole.c:1.1.1.1 selinux/utils/newrole/newrole.c:1.2
--- selinux/utils/newrole/newrole.c:1.1.1.1	Wed Jul 18 16:03:30 2001
+++ selinux/utils/newrole/newrole.c	Thu Oct 18 18:20:08 2001
@@ -56,7 +56,6 @@
 #include <sys/types.h>            /* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		  /* for wait() */
 #include <sys/stat.h>		  /* for struct stat and friends */
-#define _GNU_SOURCE
 #include <getopt.h>               /* for getopt_long() form of getopt() */
 #include <flask_util.h>           /* for is_flask_enabled() */
 #include <proc_secure.h>          /* for getsecsid() */
@@ -184,8 +183,6 @@
  ************************************************************************/
 
 
-#define _XOPEN_SOURCE                       /* for crypt() in unistd.h */
-
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */
 #include <string.h>                         /* for strlen(), memset() */
@@ -409,7 +406,7 @@
 #ifdef USE_PAM
   if( !authenticate_via_pam(p_passwd_line) ) {
 #else /* !USE_PAM */
-  if( !authenticate_via_shadow_passwd(d p_passwd_line) ) {
+  if( !authenticate_via_shadow_passwd(p_passwd_line) ) {
 #endif /* if/else USE_PAM */
     fprintf(stderr,"newrole: incorrect password\n");
     return(-1);
Index: selinux/utils/run_init/Makefile
diff -u selinux/utils/run_init/Makefile:1.1 selinux/utils/run_init/Makefile:1.2
--- selinux/utils/run_init/Makefile:1.1	Fri Oct 12 20:08:44 2001
+++ selinux/utils/run_init/Makefile	Thu Oct 18 18:20:08 2001
@@ -17,7 +17,7 @@
 # End PAM Flags
 
 # Begin SHADOW flags
-#CFLAGS += -Wall -I/usr/local/selinux/include
+#CFLAGS += -Wall -I/usr/local/selinux/include -D_GNU_SOURCE
 #LIBFLAGS += -lcrypt -lsecure
 # End SHADOW flags
 
Index: selinux/utils/run_init/run_init.c
diff -u selinux/utils/run_init/run_init.c:1.1 selinux/utils/run_init/run_init.c:1.2
--- selinux/utils/run_init/run_init.c:1.1	Fri Oct 12 20:08:44 2001
+++ selinux/utils/run_init/run_init.c	Thu Oct 18 18:20:08 2001
@@ -45,7 +45,6 @@
 #include <sys/types.h>            /* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		  /* for wait() */
 #include <sys/stat.h>		  /* for struct stat and friends */
-#define _GNU_SOURCE
 #include <getopt.h>               /* for getopt_long() form of getopt() */
 #include <flask_util.h>           /* for is_flask_enabled() */
 #include <proc_secure.h>          /* for getsecsid() */
@@ -61,6 +60,7 @@
 "  where: <init> is the name of the init script to run,\n"\
 "         <args ...> are the arguments to that script."
 
+#define CONTEXT_FILE "/etc/security/initrc_context"
 #ifdef USE_PAM
 
 /************************************************************************
@@ -75,7 +75,6 @@
 #include <security/pam_misc.h>    /* for misc_conv PAM utility function */
 
 #define SERVICE_NAME "run_init"   /* the name of this program for PAM */
-#define CONTEXT_FILE "/etc/security/initrc_context"
 				  /* The file containing the context to run 
 				   * the scripts under.                     */
 
@@ -140,9 +139,6 @@
  * All shadow passwd code goes in this section.
  *
  ************************************************************************/
-
-
-#define _XOPEN_SOURCE                       /* for crypt() in unistd.h */
 
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.7. Fine-grained netlink classes and permissions have been added.
Many enhancements and bugfixes for policy as well as userland tools
including slat and setools have been incorporated.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 707 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.6. Several races and kernel socket creation have been fixed and a
runtime disable has been added. The old linux 2.4-based kernel patch has
been ported to 2.4.26. The userland patches have been updated from
Fedora Core 2 development. There are now man pages for libselinux. X
server security classes and access vector definitions were added and
many policy updates were made.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Updated Release

[Stephen Smalley]

On Thu, 2004-05-13 at 19:10, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
> site includes a new release of the SELinux prototype. The current
> prototype and the experimental NFS code are now based on Linux kernel
> 2.6.6. Several races and kernel socket creation have been fixed and a
> runtime disable has been added. The old linux 2.4-based kernel patch has
> been ported to 2.4.26. The userland patches have been updated from
> Fedora Core 2 development. There are now man pages for libselinux. X
> server security classes and access vector definitions were added and
> many policy updates were made.

The sourceforge CVS tree has been updated for this release.  Please note
that this is the last planned release for the 2.4-based SELinux; a
snapshot of it will move to the historical versions page in future
releases and no further maintenance on it will be done.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 487 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> has been updated. The
site includes a new release of the SELinux prototype. The current
prototype and the experimental NFS code are now based on Linux kernel
2.6.5. IPv6 support has been added. A new sestatus utility is
available.  A number of bugs have been fixed and many updates have been
made to the example policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Updated Release

[Howard Holm]

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. OpenPGP signatures are now available for
released code. The site includes a new release of the SELinux prototype.
Experimental SELinux NFS code has been made available. The base kernel
version for 2.4 has been updated to 2.4.25. The base version for 2.6
remains 2.6.3, but the SELinux patch has been updated.  Among the
improvements in this release: Fine-grained boolean labeling support has
been merged. The userspace AVC has been enhanced to handle netlink
selinux notifications. MLS improvements have been merged as well as
updates to slat and the example policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Updated Release

[James Carter]

On Fri, 2004-03-12 at 13:34, Howard Holm wrote: 
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. OpenPGP signatures are now available for
> released code. The site includes a new release of the SELinux prototype.
> Experimental SELinux NFS code has been made available. The base kernel


The experimental SELinux NFS patch consists of both a kernel patch and 
userland patches.  The userland patches include a patch to mount adding
a selinuxnfs filesystem type, a xattr mount option, and a selinux mount
option.  There is also has a patch to exportfs to add a selinux export
option.  See the README in the nfs-usr archive for instructions.

The SELinux NFS patch modifies NFS v3 and the SELinux module.  Some of
the modifications:
1.  The client can get and set extended attributes on the server.  (Not
limited to just security.selinux attributes.)
2.  The client labels the security contexts of the selinuxnfs inodes
with the security context received from the server.
3.  The client sends the security context of the process to the server.
4.  The server uses the security context of the process on the client to
make security decisions.
5.  More permission checking on the client and the server.  (Ex.  Not
bypassing access calls to server if it is not an open or access.)

There are still the following limitations:
1.  The client and server need to have essentially the same policy.
2.  The client does not revalidate the security contexts for the NFS
inodes.  If the security context on the server is changed or from
another client, it will not be reflected on the client.  If the change
is made on the client, then the client and server will have the correct
context.  I am currently working on a fix for this.
3.  The fs create context is not currently passed to the server, so it
depends on the client to set the context after the fact, widening the
window where the file exists in the default type.  I am also currently
working on a fix for this.
4.  Due to caching by the client, there is a strong dependence on the
client to enforce the policy; the server can only directly mediate the
initial request for data before it is cached and is also limited by the
protocol.

Note that this patch does not address the RPC socket creation issue
encountered by Stephen Tweedie of Red Hat; addressing that also requires
a separate patch for sock_create.
  
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated and redesigned.  The base kernel versions
have been updated to 2.4.24 and 2.6.3.  The 2.6.3 kernel patches include
significant enhancements including port-based controls, mount context
options, and conditional policy extensions.  libselinux now includes
code for a userspace AVC and discovers the selinuxfx mount point at
runtime.  Many other updates and bugfixes have been applied.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base kernel versions have been updated
to 2.4.23 and 2.6.0-test11. In 2.6.0-test11 controls have been added for
inheritance of signal-related state and resource limits and the network
interface and node controls have been reimplemented.  SysVinit has been
patched to eliminate the need for a modified initrd.  Login now uses a
pam_selinux module.  Many other updates have been made to the tools,
utilities and userland patches.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  SELinux kernel patches for 2.6.0-test6
and 2.4.21 are available.  The updated kernel patches include support
for an selinux boot parameter and improved auditing.  A number of
bugfixes and improvements have been integrated into the user space tools
and utilities.  SRPMs for newer Red Hat packages are available.  The
star package has been added.  The example policy has been updated. 
Improvements have been made to existing policy tools, and a new policy
analysis tool has been added.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Andreas Schuldei]

* Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> The
> star package has been added.

is that the tar which was enhanced for backing up selinux
attributes?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Fri, 2003-10-03 at 02:47, Andreas Schuldei wrote:
> * Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> > The
> > star package has been added.
> 
> is that the tar which was enhanced for backing up selinux
> attributes?

It is not the patched tar program from the old SELinux.
Instead, it is a patched form of Joerg Schilling's star(1) archiver.  He
has incorporated the EA support into the upstream star, so we are able
to leverage that support for storing the SELinux attributes in the
archive, but there is a small SELinux-specific patch to use the SELinux
API to create extracted files immediately with their SELinux security
context (rather than having to set the security context _after_ creating
the file), since the xattr API does not support that functionality.
	
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Andreas Schuldei]

* Stephen Smalley (sds@epoch.ncsc.mil) [031003 15:45]:
> On Fri, 2003-10-03 at 02:47, Andreas Schuldei wrote:
> > * Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
> > > The
> > > star package has been added.
> > 
> > is that the tar which was enhanced for backing up selinux
> > attributes?
> 
> It is not the patched tar program from the old SELinux.
> Instead, it is a patched form of Joerg Schilling's star(1) archiver.  He
> has incorporated the EA support into the upstream star, so we are able
> to leverage that support for storing the SELinux attributes in the
> archive, but there is a small SELinux-specific patch to use the SELinux
> API to create extracted files immediately with their SELinux security
> context (rather than having to set the security context _after_ creating
> the file), since the xattr API does not support that functionality.

you mention the xattr api. can this tar be uses to restore
systems or parts of a system, bridging the 2.4 -> 2.6 switch? Or
is it only good for the version of selinux the backup was created
with?

i did not find the rpm (or srpm or tar) file for star on the
download page. what is the url to it?

and who has a backup script, switching from admin to backup
context, and backing up stuff?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Sat, 2003-10-04 at 07:40, Andreas Schuldei wrote:
> you mention the xattr api. can this tar be uses to restore
> systems or parts of a system, bridging the 2.4 -> 2.6 switch? Or
> is it only good for the version of selinux the backup was created
> with?

The star program only works with extended attributes and (with the
SELinux patch) with the new SELinux API.  The old SELinux API was never
supported by star.  Also, just to be clear, the API and implementation
changes to SELinux (including the use of xattr) were back ported to
Linux 2.4, so there is no difference in API or xattr usage between the
current 2.4-based and 2.6-based SELinux.  The old SELinux has been moved
to the historical versions page and is no longer maintained, at least
not by us.

Upgrading an existing system from the old SELinux to the new SELinux
seamlessly is complicated; see the earlier discussions on the list
regarding it, e.g.
http://marc.theaimsgroup.com/?l=selinux&m=106156668426416&w=2

> i did not find the rpm (or srpm or tar) file for star on the
> download page. what is the url to it?

You can obtain any of the SRPMS for the patched daemons and utilities
from http://www.nsa.gov/selinux/SRPMS.  Sorry, we'll add an explicit
link for the star patch and SRPM to the download page next time.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Tom]

On Mon, Oct 06, 2003 at 10:20:20AM -0400, Stephen Smalley wrote:
> Upgrading an existing system from the old SELinux to the new SELinux
> seamlessly is complicated; see the earlier discussions on the list
> regarding it, e.g.
> http://marc.theaimsgroup.com/?l=selinux&m=106156668426416&w=2

On Debian, it's not that hard if you can live with running it in 
non-SELinux or at least permissive mode during the update. I've just 
done it to my notebook last week. Here's a short step-by-step guide:

http://selinux.lemuria.org/install-2.6.html

It doesn't explicitly say so, but the system was a 2.4.21 SELinux
system when I started out.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 443 bytes --]

Andreas Schuldei wrote:

>* Howard Holm (hdholm@epoch.ncsc.mil) [031002 21:37]:
>  
>
>>The
>>star package has been added.
>>    
>>
>
>is that the tar which was enhanced for backing up selinux
>attributes?
>
yes

>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>  
>

[-- Attachment #2: Type: text/html, Size: 1132 bytes --]

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the
maillist archive has been updated.  The SELinux module has been merged
into the mainline kernel as of 2.6.0-test3.  This release includes new
kernel patches based on the 2.6.0-test3 kernel and a backport of the 2.6
SELinux module to the 2.4.21 kernel.  The new API is consistent between
2.4 and 2.6.  The old 2.4 API and user-space utilities are no longer
actively maintained.  There have been a number of bug fixes and cleanups
to the library and utilities as well as new contributions to the example
policy.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Office of Defensive Computing Research
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Chris PeBenito]

Is this backported 2.6 api non arch-specific, like it is in 2.6?  Or is
it still limited to x86?

On Thu, 2003-08-14 at 06:46, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the
> maillist archive has been updated.  The SELinux module has been merged
> into the mainline kernel as of 2.6.0-test3.  This release includes new
> kernel patches based on the 2.6.0-test3 kernel and a backport of the 2.6
> SELinux module to the 2.4.21 kernel.  The new API is consistent between
> 2.4 and 2.6.  The old 2.4 API and user-space utilities are no longer
> actively maintained.  There have been a number of bug fixes and cleanups
> to the library and utilities as well as new contributions to the example
> policy.
-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[James Carter]

On Thu, 2003-08-14 at 12:14, Chris PeBenito wrote:
> Is this backported 2.6 api non arch-specific, like it is in 2.6?  Or is
> it still limited to x86?

It is not architecture specific, but it has only been tested on x86.  

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The base kernel versions have been
updated to 2.5.74 and 2.4.21.  The SELinux API redesign with xattr
support has been completed for the version 2.5 based kernel.  The
SELinux daemon and utility patches have been ported to the new API. 
Support for the AT_SECURE auxv entry was added.  Changes were made to
bprm hook permission checking and nosuid operation.  A report, "Securing
the X Window System with SELinux" was added to documentation discussing
adding SELinux controls to the window system.  Finally, many contributed
patches to tools and policy have been merged and RPM spec files and
SRPMs are now provided.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Christopher J. PeBenito]

I've been trying out the updated kernel patches, and I'm noticing a some
different behavior with the nfs lockd and rpciod.  With this release,
they're starting up in kernel_t:

 1057    344 system_u:system_r:portmap_t              [portmap]
 1135    346 system_u:system_r:rpcd_t                 [rpc.statd]
 1211    346 system_u:system_r:rpcd_t                 [nfsd]
 1212    346 system_u:system_r:rpcd_t                 [nfsd]
 1213    346 system_u:system_r:rpcd_t                 [nfsd]
 1214    346 system_u:system_r:rpcd_t                 [nfsd]
 1215      1 system_u:system_r:kernel_t               [lockd]
 1216      1 system_u:system_r:kernel_t                \_ [rpciod]
 1217    346 system_u:system_r:rpcd_t                 [nfsd]
 1218    346 system_u:system_r:rpcd_t                 [nfsd]
 1219    346 system_u:system_r:rpcd_t                 [nfsd]
 1220    346 system_u:system_r:rpcd_t                 [nfsd]
 1224    346 system_u:system_r:rpcd_t                 [rpc.mountd]

Its causing a couple denials:

avc:  denied  { recvfrom } for  pid=1216 comm=rpciod saddr=127.0.0.1
source=799 daddr=127.0.0.1 dest=111 netif=lo
scontext=system_u:system_r:portmap_t tcontext=system_u:system_r:kernel_t
tclass=udp_socket
avc:  denied  { recvfrom } for  pid=1215 comm=lockd saddr=127.0.0.1
source=800 daddr=127.0.0.1 dest=890 netif=lo
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:kernel_t
tclass=udp_socket
avc:  denied  { recvfrom } for  pid=1135 exe=/sbin/rpc.statd
saddr=127.0.0.1 source=890 daddr=127.0.0.1 dest=800 netif=lo
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:rpcd_t
tclass=udp_socket
avc:  denied  { write } for  pid=1215 comm=lockd lport=32770
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:rpcd_t
tclass=udp_socket

However, I immediately restart with the previous release kerenel, w/o
relabelling or any other change, and they start up in rpcd_t:

 1109    342 system_u:system_r:portmap_t              [portmap]
 1182    344 system_u:system_r:rpcd_t                 [rpc.statd]
 1211    344 system_u:system_r:rpcd_t                 [nfsd]
 1212    344 system_u:system_r:rpcd_t                 [nfsd]
 1213    344 system_u:system_r:rpcd_t                 [nfsd]
 1214    344 system_u:system_r:rpcd_t                 [nfsd]
 1215    344 system_u:system_r:rpcd_t                 [nfsd]
 1216    344 system_u:system_r:rpcd_t                 [nfsd]
 1217    344 system_u:system_r:rpcd_t                 [nfsd]
 1218    344 system_u:system_r:rpcd_t                 [nfsd]
 1220    344 system_u:system_r:rpcd_t                 [lockd]
 1221    344 system_u:system_r:rpcd_t                  \_ [rpciod]
 1224    344 system_u:system_r:rpcd_t                 [rpc.mountd]

Is this intended?


On Fri, 2003-07-11 at 14:41, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The base kernel versions have been
> updated to 2.5.74 and 2.4.21.
-- 
Chris PeBenito
<pebenito@ieee.org>
AIM: PeBenito78
ICQ#: 10434387

"Engineering does not require science. Science helps
a lot, but people built perfectly good brick walls 
long before they knew why cement works."-Alan Cox

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Fri, 2003-07-11 at 19:31, Christopher J. PeBenito wrote:
> I've been trying out the updated kernel patches, and I'm noticing a some
> different behavior with the nfs lockd and rpciod.  With this release,
> they're starting up in kernel_t:
> Is this intended?

Yes, these are kernel threads, and they call reparent_to_init, so their
SID is changed to the kernel SID.  This isn't new to this release.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Bill Laut]

On Friday 11 July 2003 03:41 pm, Howard Holm wrote:
>
> [...]
>
> A report, "Securing the X Window System with SELinux" was added to
> documentation discussing adding SELinux controls to the window system.
>

Where is this report located?  I've searched through both the 2.4 and 2.5 kits 
but cannot seem to locate it.

Bill


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Wed, 2003-07-30 at 22:56, Bill Laut wrote:
> On Friday 11 July 2003 03:41 pm, Howard Holm wrote:
> >
> > [...]
> >
> > A report, "Securing the X Window System with SELinux" was added to
> > documentation discussing adding SELinux controls to the window system.
> >
> 
> Where is this report located?  I've searched through both the 2.4 and 2.5 kits 
> but cannot seem to locate it.

http://www.nsa.gov/selinux/x11-abs.html contains links to PDF and
PostScript versions of the document.  That page is linked into the
Documentation page (http://www.nsa.gov/selinux/docs.html), as well as
being directly linked by the What's New page
(http://www.nsa.gov/selinux/news.html).

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The example policy has been updated with
enhancements and cleanups.  A number of bugs have been fixed in the
SELinux module.  The updated module is available for the ia32 2.4.20
Linux kernel.   The updated module is also available for both the
mainline 2.5.66 Linux kernel and an LSM patched 2.5.66 Linux kernel. 
The new mainline module also includes work in preparation for a new
SELinux API.  Finally, a port of SELinux to the arm 2.4.19 kernel is
also now available.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Mon, 2003-04-07 at 16:46, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The example policy has been updated with
> enhancements and cleanups.  A number of bugs have been fixed in the
> SELinux module.  The updated module is available for the ia32 2.4.20
> Linux kernel.   The updated module is also available for both the
> mainline 2.5.66 Linux kernel and an LSM patched 2.5.66 Linux kernel. 
> The new mainline module also includes work in preparation for a new
> SELinux API.  Finally, a port of SELinux to the arm 2.4.19 kernel is
> also now available.

The updated release (2003040709) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

I have not imported the new 2.5 mainline-based SELinux or the ARM port
into the sourceforge CVS tree at present, although I can do so if there
is a demand for it.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen D. Smalley]

The updated release (2003011510) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base 2.5 kernel version has been
> updated to 2.5.58.  The base 2.4 kernel version remains at 2.4.20, but
> the LSM patch and the SELinux module for 2.4 have changed since the last
> release.  New contributed policy analysis and policy management tools
> have been added to the provided tools and utilities. Hooks for xattr
> operations were added to 2.4.  Inode security initialization has been
> reworked using the d_instantiate hook.  The nfsd private file bug in 2.4
> has been fixed and the task_kill bug in 2.5 has been fixed.  Configuring
> the SELinux Policy, a technical report included in the documentation,
> has been updated to reflect recent changes.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base 2.5 kernel version has been
updated to 2.5.58.  The base 2.4 kernel version remains at 2.4.20, but
the LSM patch and the SELinux module for 2.4 have changed since the last
release.  New contributed policy analysis and policy management tools
have been added to the provided tools and utilities. Hooks for xattr
operations were added to 2.4.  Inode security initialization has been
reworked using the d_instantiate hook.  The nfsd private file bug in 2.4
has been fixed and the task_kill bug in 2.5 has been fixed.  Configuring
the SELinux Policy, a technical report included in the documentation,
has been updated to reflect recent changes.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen D. Smalley]

The updated release (2002121210) has been imported and merged into
the sourceforge selinux CVS tree under the 'nsa' module.  As usual,
you can check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

On Fri, 12 Dec 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base kernel versions have been updated
> to 2.4.20 and 2.5.51.  Initial SID and context for SCMP packets has been
> added.  Additional policy enhancement and patch contributions have been
> merged. The logrotate patch has been updated to 3.6.5-2. The private
> file oversight in LSM, inode_doinit bug in SELinux, and selopt compile
> problems have all been fixed.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base kernel versions have been updated
to 2.4.20 and 2.5.51.  Initial SID and context for SCMP packets has been
added.  Additional policy enhancement and patch contributions have been
merged. The logrotate patch has been updated to 3.6.5-2. The private
file oversight in LSM, inode_doinit bug in SELinux, and selopt compile
problems have all been fixed.

-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype. The base 2.5 kernel version has been
updated to 2.5.44. The base 2.4 kernel version remains at 2.4.19, but
many changes have been made to the 2.4 LSM patch and to the 2.4 SELinux
module since the last release. The modified login, sshd and crond
programs have been updated to use a new configuration scheme. Socket
handling has been improved. Internally, precondition functions have
been removed in favor of early initialization support. The modified tar
has been updated to tar-1.13.25. A number of other improvements, bug
fixes and policy enhancements have taken place.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002102211) has been imported and merged into the
sourceforge selinux CVS tree under the 'nsa' module.  As usual, you can
check out a copy via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

On Wed, 23 Oct 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype. The base 2.5 kernel version has been
> updated to 2.5.44. The base 2.4 kernel version remains at 2.4.19, but
> many changes have been made to the 2.4 LSM patch and to the 2.4 SELinux
> module since the last release. The modified login, sshd and crond
> programs have been updated to use a new configuration scheme. Socket
> handling has been improved. Internally, precondition functions have
> been removed in favor of early initialization support. The modified tar
> has been updated to tar-1.13.25. A number of other improvements, bug
> fixes and policy enhancements have taken place.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of the
LSM-based SELinux prototype.  The base kernel versions were updated to
2.4.19 and 2.5.31.  The SELinux peer SID functionality was
re-implemented with new sock hooks; the accept_secure call should now
be reliable.  The sysctl hook and /proc/sys labeling were made
configurable.  Other minor enhancements were made including checkpolicy
and the example policy.  Bugs were fixed in auditing logic, PSID
mapping code, and ipc permission hook.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002082308) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

On Sat, 24 Aug 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of the
> LSM-based SELinux prototype.  The base kernel versions were updated to
> 2.4.19 and 2.5.31.  The SELinux peer SID functionality was
> re-implemented with new sock hooks; the accept_secure call should now
> be reliable.  The sysctl hook and /proc/sys labeling were made
> configurable.  Other minor enhancements were made including checkpolicy
> and the example policy.  Bugs were fixed in auditing logic, PSID
> mapping code, and ipc permission hook.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of
the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype remains at kernel 2.4.18.  The development (2.5) LSM-based
SELinux prototype was updated to kernel 2.5.24.  The OpenSSH patch has
been updated to openssh-3.4p1.  The file system labeling support has
been generalized and labeling for kernel-generated IGMP and ICMP
traffic has been added.  Many improvements have been made in the policy
including making many policy sections optional, changing the audit
configuration syntax, adding explicit type attribute declarations, and
merging many contributed domains and policy changes.  The technical
report describing configuration of the policy has also been updated.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

Apologies for the delay.

The Wiretapped mirror of SELinux has now been updated with the most recent
(2002070313) versions:

	http://the.wiretapped.net/security/operating-systems/selinux/

Hope this helps,

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------

On Wed, 3 Jul 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of
> the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Brad Chapman]

Mr. Bayley,

--- Grant Bayley <gbayley@ausmac.net> wrote:
> 
> Apologies for the delay.
> 
> The Wiretapped mirror of SELinux has now been updated with the most recent
> (2002070313) versions:
> 
> 	http://the.wiretapped.net/security/operating-systems/selinux/

      Where is the best place to look for a ChangeLog for this version (i.e.
bugfixes, features, additional policy tweaks, etc.)

> 
> Hope this helps,
> 
> Grant

Thanks,

Brad

> 
> 
> On Wed, 3 Jul 2002, Howard Holm wrote:
> 
> > The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> > list archive has been updated. The site includes a new release of
> > the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> 
> [snip]
> 


=====
Brad Chapman

Permanent e-mails: kakadu_croc@yahoo.com
		   jabiru_croc@yahoo.com
		   tanami_croc@devel.lbsd.net

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

Hi,

This mailing list is usually the best place, the archives of which are
online here:

	http://www.nsa.gov/selinux/list-archive/index.html

Howard's post earlier today also mentions the latest updates etc.

Grant

On Thu, 4 Jul 2002, Brad Chapman wrote:

> Mr. Bayley,
>
[snip]
>       Where is the best place to look for a ChangeLog for this version (i.e.
> bugfixes, features, additional policy tweaks, etc.)


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Brad Chapman]

Mr. Bayley,

--- Grant Bayley <gbayley@ausmac.net> wrote:
> Hi,
> 
> This mailing list is usually the best place, the archives of which are
> online here:
> 
> 	http://www.nsa.gov/selinux/list-archive/index.html
> 
> Howard's post earlier today also mentions the latest updates etc.

         I'm sorry, but I can't seem to find this Mr. Howard's post in the
hypermail archives. Have they been updated yet? (IIRC, they are updated only
when a new release of selinux is made)

> 
> Grant

Brad

> 
> On Thu, 4 Jul 2002, Brad Chapman wrote:
> 
> > Mr. Bayley,
> >
> [snip]
> >       Where is the best place to look for a ChangeLog for this version
> (i.e.
> > bugfixes, features, additional policy tweaks, etc.)
> 
> 
> --
> You have received this message because you are subscribed to the selinux
> list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


=====
Brad Chapman

Permanent e-mails: kakadu_croc@yahoo.com
		   jabiru_croc@yahoo.com
		   tanami_croc@devel.lbsd.net

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Thu, 4 Jul 2002, Brad Chapman wrote:

>          I'm sorry, but I can't seem to find this Mr. Howard's post in the
> hypermail archives. Have they been updated yet? (IIRC, they are updated only
> when a new release of selinux is made)

A new release was made on July 3rd, followed by Howard's announcement
(which naturally won't show up in the archives at the NSA site, as it
occurred after the release).  However, you can see it in the
http://marc.theaimsgroup.com/?l=selinux list archives (and you should have
received a copy if you are subscribed).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Thu, 4 Jul 2002, Brad Chapman wrote:

>       Where is the best place to look for a ChangeLog for this version (i.e.
> bugfixes, features, additional policy tweaks, etc.)

selinux/ChangeLog in the selinux archive available from the download page.
You can also use the sourceforge CVS tree to generate a full diff between
the releases.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002070313) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.   As usual, you can
access it via:

export
CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated. The site includes a new release of
the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype remains at kernel 2.4.18.  The development (2.5) LSM-based
SELinux prototype was updated to kernel 2.5.19.  The MLS support has
been enhanced, although it is still experimental. Support was added for
selecting enforcing mode at boot/insertion time. The extended socket
call processing was encapsulated and made optional. Connection peer SID
lists for accept_secure were implemented.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Russell Coker]

On Fri, 31 May 2002 23:32, Howard Holm wrote:
> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated. The site includes a new release of
> the LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype remains at kernel 2.4.18.  The development (2.5) LSM-based

For 2.4.18 the kernel patch doesn't have the recent patches for 
security_get_sids or the patch for sleeping allocation during a policy load.

Is there some problem with these patches?  Or was this an omission?

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

On Sat, 1 Jun 2002, Russell Coker wrote:

> For 2.4.18 the kernel patch doesn't have the recent patches for
> security_get_sids or the patch for sleeping allocation during a policy load.

I'm not sure what you mean.  I just downloaded the complete lsm-2.4 tree
and the lsm patch from the NSA SELinux web site, and they did include
these patches.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Russell Coker]

On Mon, 3 Jun 2002 14:53, Stephen Smalley wrote:
> On Sat, 1 Jun 2002, Russell Coker wrote:
> > For 2.4.18 the kernel patch doesn't have the recent patches for
> > security_get_sids or the patch for sleeping allocation during a policy
> > load.
>
> I'm not sure what you mean.  I just downloaded the complete lsm-2.4 tree
> and the lsm patch from the NSA SELinux web site, and they did include
> these patches.

I have checked it again, it seems that I made a mistake.  I may have 
mistakenly used the latest LSM release when comparing instead.

It seems that the version on the NSA site has all the patches plus some new 
socket and MLS support.  I'll have it in Debian tomorrow.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002053110) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

export
CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  Two new technical reports are available
in the documentation: a document describing the policy language and a
document describing the current LSM implementation of SELinux.  The
site also includes a new release of the LSM-based SELinux prototype.
The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
The development (2.5) LSM-based SELinux prototype was updated to kernel
2.5.10.  A number of policy improvements, minor feature enhancements
and bug fixes have also been made.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

The Australian mirror of these files has now been updated:

	ftp://ftp.wiretapped.net/sd3a/security/operating-systems/selinux/
	http://the.wiretapped.net/security/operating-systems/selinux/

On Thu, 2 May 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  Two new technical reports are available
> in the documentation: a document describing the policy language and a
> document describing the current LSM implementation of SELinux.  The
> site also includes a new release of the LSM-based SELinux prototype.
> The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
> The development (2.5) LSM-based SELinux prototype was updated to kernel
> 2.5.10.  A number of policy improvements, minor feature enhancements
> and bug fixes have also been made.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The updated release (2002050211) has been imported and merged into the
sourceforge selinux CVS tree, under the 'nsa' module.  As usual, you can
access it via:

export CVSROOT=:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux
cvs -z3 co nsa

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

On Thu, 2 May 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  Two new technical reports are available
> in the documentation: a document describing the policy language and a
> document describing the current LSM implementation of SELinux.  The
> site also includes a new release of the LSM-based SELinux prototype.
> The stable (2.4) LSM-based SELinux prototype remains at kernel 2.4.18.
> The development (2.5) LSM-based SELinux prototype was updated to kernel
> 2.5.10.  A number of policy improvements, minor feature enhancements
> and bug fixes have also been made.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1056 bytes --]


On Fri, 15 Mar 2002, Westerman, Mark wrote:

> There is a problem with the build in the updated release.
>
> I was to quick and did not figure out the what was causing the
> problem. When doing a make quickinstall (on a clean install of
> RedHat) some install program create install itself as
> /usr/local/selinux/sbin. Since sbin was a program and not
> a directory the make failed

Thanks for the bug report.  The selinux/selopt Makefiles assume that the
/usr/local/selinux hierarchy has been created, and end up installing
binaries as /usr/local/selinux/sbin if that directory has not already been
created.  That was a reasonable assumption for James, because selopt was
originally intended to be installed after an initial install of SELinux.
When we merged it, we didn't fix this.  Sorry.  The attached patch moves
the selopt install after the utils install, at which point this assumption
holds.  Longer term, we should just fix the selopt Makefiles to create
the target directories if necessary.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 2180 bytes --]

Index: Makefile
===================================================================
RCS file: /cvs/lsm/selinux/Makefile,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- Makefile	2002/03/15 15:38:25	1.8
+++ Makefile	2002/03/15 16:26:47	1.9
@@ -22,10 +22,10 @@
 	cd policy && make install
 	@echo "Building and installing libsecure."
 	cd libsecure && make install
-	@echo "Building and installing the SELOPT utils."
-	cd selopt && make LSMVER=$(LSMVER) && make install
 	@echo "Building and installing the modified daemons and the new or modified utilities."
 	cd utils && make install
+	@echo "Building and installing the SELOPT utils."
+	cd selopt && make LSMVER=$(LSMVER) && make install
 	@echo "Installing the application context configuration files."
 	if [ ! -f /etc/security/default_context ]; then install -m 644 utils/appconfig/default_context /etc/security; fi
 	if [ ! -f /etc/security/default_type ]; then install -m 644 utils/appconfig/default_type /etc/security; fi
Index: README
===================================================================
RCS file: /cvs/lsm/selinux/README,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- README	2002/03/15 15:38:25	1.60
+++ README	2002/03/15 16:26:47	1.61
@@ -180,21 +180,21 @@
    make install
    cd ..
 
-7) If you want to experiment with the labeled networking support, then
-   build and install the Selopt utilities:
-   cd selopt
-   make (or make LSMVER=-2.5)
-   su (if not already root)
-   make install
-   cd ..
-
-8) Build and install the modified applications.
+7) Build and install the modified applications.
    If you are running RH7.1, then first edit the utils/Makefile,
    commenting out the LOGROTATE_VER definition for RH7.2 and uncommenting 
    the corresponding definition for RH7.1.
 
    cd utils
    make
+   su (if not already root)
+   make install
+   cd ..
+
+8) If you want to experiment with the labeled networking support, then
+   build and install the Selopt utilities:
+   cd selopt
+   make (or make LSMVER=-2.5)
    su (if not already root)
    make install
    cd ..

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype was updated to kernel 2.4.18.  The development (2.5)
LSM-based SELinux prototype was updated to kernel 2.5.6.  The modified
utilities have been updated to Red Hat Linux 7.2-based versions.  A
number of new policy domains have been added and policy restructured.
Support for usbdevfs and work for labeled networking has been added.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Stephen Smalley]

The CVS tree at the sourceforge selinux site has been synchronized with
the new release.  As usual, the lsm-2.4, lsm-2.5, and selinux trees can be
found under the 'nsa' directory in CVS.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



On Thu, 14 Mar 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype was updated to kernel 2.4.18.  The development (2.5)
> LSM-based SELinux prototype was updated to kernel 2.5.6.  The modified
> utilities have been updated to Red Hat Linux 7.2-based versions.  A
> number of new policy domains have been added and policy restructured.
> Support for usbdevfs and work for labeled networking has been added.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated Release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
prototype was updated to kernel 2.4.17 and was updated to include a
number of bug fixes and minor enhancements made since the previous
release. A new development (2.5) LSM-based SELinux prototype based on
kernel 2.5.2 was also added to the site.  The original SELinux
prototype (which was not based on LSM) has been reduced to just the
2.2.19 and 2.4.3 kernel patches for historical reference. The technical
report describing the design and implementation of the original 2.2
kernel patch is also still available for historical reference.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated Release

[Grant Bayley]

These files are now available at Wiretapped in Sydney, Australia:

http://the.wiretapped.net/security/operating-systems/selinux/
ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Fri, 18 Jan 2002, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  The stable (2.4) LSM-based SELinux
> prototype was updated to kernel 2.4.17 and was updated to include a

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release is based on the
lsm-full-2001_12_10 patch against kernel 2.4.16 which merges SELinux
into the LSM tree.  Many utilities have been updated to newer versions
to improve compatibility with Red Hat 7.2. Auditing has been revised
for easier parsing and several additional bugs were fixed.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Hi all,

The SELinux mirror at Wiretapped in Sydney, Australia has now been updated
with the new release:

	http://the.wiretapped.net/security/operating-systems/selinux/
	ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

Main archives:

	http://www.wiretapped.net/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-IT Manager @ FNL Communications       (www.fnl.com.au)
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Mon, 10 Dec 2001, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  This release is based on the
> lsm-full-2001_12_10 patch against kernel 2.4.16 which merges SELinux
> into the LSM tree.  Many utilities have been updated to newer versions
> to improve compatibility with Red Hat 7.2. Auditing has been revised
> for easier parsing and several additional bugs were fixed.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The SELinux web site <http://www.nsa.gov/selinux/> including the mail
list archive has been updated.  The site includes a new release of the
LSM-based SELinux prototype.  This release is based on the
lsm-2001_11_05 patch against kernel 2.4.14.  It fixes a number of bugs,
cleans up some code, and is based on newer versions of the kernel and
utilities.

The following changes should be carefully noted if you have previously
installed SELinux:

1) LSM has renamed all LSM-related configuration options to use a
CONFIG_SECURITY prefix, and we have done likewise for the SELinux
kernel option.  This means that old .config files aren't quite right
anymore.  You can still use them, but you'll need to explicitly enable
the LSM-related (IP Networking hooks, Capabilities) and SELinux options
again when you configure (unless you hand edit your old .config file to
reflect the name changes).

2) A small change was made to the policydb format, so you need to
rebuild checkpolicy and recompile your policy with the updated
checkpolicy program.  Also, if you have customized your policy, you
need to at least pick up a new initial SID definition (sysctl_net_unix)
in the initial_sid_contexts file.

3) The execve_secure system call has been reimplemented via the general
security system call.  Previously, this system call remained as a
separate entrypoint due to the inability to access register state
(needed by execve) from the general security system call, but this was
undesireable because only the security call is reserved in the
mainstream kernel.  We found that we could reimplement the
execve_secure call via the security call by replacing the LSM security
call entrypoint function with our own architecture-specific entrypoint
function that can support both execve_secure and all of our other
calls.  So you must recompile libsecure and relink all applications
that use exec.*_secure against it (runas, newrole, crond, run_init,
sshd, login, Mark Westerman's modified gdm).  This will be a nuisance
for current users, but ensures that you should never have to do so
again, since the security syscall is reserved, unlike the old separate
entrypoint for execve_secure.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Australian SELinux mirror now updated:

	http://the.wiretapped.net/security/operating-systems/selinux/

(in the LSM-based prototype, we're mirroring the all-in-one tarball and
the two-parts tarballs (no need to mirror the patches separately.  Also
documentation mirror has been updated as well.)

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Tue, 20 Nov 2001, Howard Holm wrote:

> The SELinux web site <http://www.nsa.gov/selinux/> including the mail
> list archive has been updated.  The site includes a new release of the
> LSM-based SELinux prototype.  This release is based on the
> lsm-2001_11_05 patch against kernel 2.4.14.  It fixes a number of bugs,
> cleans up some code, and is based on newer versions of the kernel and
> utilities.
>
> The following changes should be carefully noted if you have previously
> installed SELinux:
>
> 1) LSM has renamed all LSM-related configuration options to use a
> CONFIG_SECURITY prefix, and we have done likewise for the SELinux
> kernel option.  This means that old .config files aren't quite right
> anymore.  You can still use them, but you'll need to explicitly enable
> the LSM-related (IP Networking hooks, Capabilities) and SELinux options
> again when you configure (unless you hand edit your old .config file to
> reflect the name changes).
>
> 2) A small change was made to the policydb format, so you need to
> rebuild checkpolicy and recompile your policy with the updated
> checkpolicy program.  Also, if you have customized your policy, you
> need to at least pick up a new initial SID definition (sysctl_net_unix)
> in the initial_sid_contexts file.
>
> 3) The execve_secure system call has been reimplemented via the general
> security system call.  Previously, this system call remained as a
> separate entrypoint due to the inability to access register state
> (needed by execve) from the general security system call, but this was
> undesireable because only the security call is reserved in the
> mainstream kernel.  We found that we could reimplement the
> execve_secure call via the security call by replacing the LSM security
> call entrypoint function with our own architecture-specific entrypoint
> function that can support both execve_secure and all of our other
> calls.  So you must recompile libsecure and relink all applications
> that use exec.*_secure against it (runas, newrole, crond, run_init,
> sshd, login, Mark Westerman's modified gdm).  This will be a nuisance
> for current users, but ensures that you should never have to do so
> again, since the security syscall is reserved, unlike the old separate
> entrypoint for execve_secure.
>
> --
> Howard Holm <hdholm@epoch.ncsc.mil>
> Secure Systems Research Office
> National Security Agency
>
>
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The NSA SELinux web site (http://www.nsa.gov/selinux/) has been updated.
It includes a completely new variant of the SELinux prototype
based on the Linux Security Modules (LSM) work.  This patches for the
LSM-based prototype are based on the Linux 2.4.9 kernel, and the patches
for the utilities are known to work with Red Hat Linux 7.1.

Additional web site updates include additional papers and presentations,
and the long awaited updating of the SELinux hyper-mail mail list archives.
Remember, current archives are always available via e-mail (see
http://www.nsa.gov/selinux/list.html) even when the hyper-mail archives are
out of date.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Group
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The SELinux web site including the mail list archive has been updated.
The site includes a new release of the LSM-based SELinux prototype.
This release contains many bug fixes and improvements to both LSM and
SELinux and is based on the lsm-2001_09_23 patch against kernel 2.4.10.
The release includes new and reworked hooks to control additional
operations.

The policy now includes hwclock_t and ping_t domains for hwclock and
ping (from David Wheeler,) an ipsec_t domain for the FreeSWAN IKE
daemon and programs (from Mark Westerman,) and an httpd_t domain
for Apache (from MITRE.)  None of these has been extensively tested
by the NSA SELinux team, and they may require some additional work.
Note that we have not yet included any FreeSWAN or Apache components
in the material distributed with SELinux.

We have chosen not to release patches to our previous patches.  You will
need a complete set of patches or the complete (already patched) source
code.  We believe that the patches to patches were not being utilized
enough to justify the work to create them.  If you would rather apply
updates as patches to our previous patches, please notify me directly
at the address below so we can gauge the interest.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

Hi everyone,

And the mirror at Wiretapped in Australia is now updated as well (the
NSA site has been a bit slow today...):

	http://the.wiretapped.net/security/operating-systems/selinux/
	ftp://ftp.wiretapped.net/pub/security/operating-systems/selinux/

The layout should be fairly obvious...

Hope this helps,

Grant

On Thu, 27 Sep 2001, Howard Holm wrote:

> The SELinux web site including the mail list archive has been updated.
> The site includes a new release of the LSM-based SELinux prototype.
> This release contains many bug fixes and improvements to both LSM and
> SELinux and is based on the lsm-2001_09_23 patch against kernel 2.4.10.
> The release includes new and reworked hooks to control additional
> operations.

 [snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Conan Callen]

I checked the changes file didn't find anything to indicate any changes in
the area below. I wanted to double check and see if anyone had some
pointers.

When the updated kernel is built can the existing policy be used?

Is it nessessary to rebuild the policy dir, setfiles, relable, etc. If so, can
the previous config files & te files be copied in or have any file formats
changed?

Conan Callen
Windowpane




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Stephen Smalley]

On Sat, 29 Sep 2001, Conan Callen wrote:

> I checked the changes file didn't find anything to indicate any changes in
> the area below. I wanted to double check and see if anyone had some
> pointers.

The selinux/ChangeLog file has a summary of the changes to LSM and
SELinux since the last release.

> When the updated kernel is built can the existing policy be used?
> 
> Is it nessessary to rebuild the policy dir, setfiles, relable, etc. If so, can
> the previous config files & te files be copied in or have any file formats
> changed?

I would generally recommend doing a full installation, following the
instructions in README as before.  You don't need to do step 8 unless you
were running the non-LSM SELinux prototype.  There have been changes to
the policy and setfiles/file_contexts configuration since the last
release.  If you made customizations to your policy and  
setfiles/file_contexts, then you should check whether the same 
customizations are still needed, since we may have merged them into the 
example policy.  We try to merge policy customizations into the example
policy when people contribute them back to us as long as they are
reasonable.  The configuration languages haven't changed, other than
the addition of the policy/devfs_contexts file for devfs file labeling.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

The NSA web site (www.nsa.gov/selinux) for Security-enhanced Linux was
updated Friday.

Changes include:

- Documentation now includes the slides used by Pete Loscocco at the
  Linux 2.5 Kernel Summit.
- The mailing list archives are more current
- Kernel patches are now provided for kernel versions 2.2.19 and 2.4.3

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Howard Holm]

An updated release of Security-enhanced Linux has been posted on the
NSA web site (www.nsa.gov/selinux).

Changes include:

- Updated information on the developers' mailing list and archives was
  made available.
- Answers to Frequently Asked Questions were added to the site. 
- Kernel patches are now provided for 2.4.2 and 2.2.18. 
  - The 2.4.2 patch includes changes to virtualize the persistent SID
    mapping interfaces and the file mandatory access controls.
  - The 2.2.18 patch includes several bug fixes to the old 2.2-based
    patch. It also includes a new implementation of System V IPC
    mandatory access controls. These controls have not yet been ported to
    the 2.4 kernel.
  - Both the 2.2.18 and 2.4.2 patches incorporate a change in the
    implementation of the new system calls that is not backward
    compatible with the old implementation. Hence, the updated libsecure
    must be compiled and all modified utilities must be relinked against it.
- The util-linux patch is now provided for the util-linux-2.10s sources
  from kernel.org.
- The procps patch is now provided for the procps-010114 sources from
  http://www.cs.uml.edu/~acahalan/procps.
- The vixie-cron patch is now provided for the vixie-cron-3.0.1-61
  sources from RedHat.
- A small fix was made to the spasswd wrapper program to ensure that it
  is not mistakenly used by an administrator to try to change another
  user's password. A README was added to explain the purpose of this
  program.
- The shadow password file is no longer moved by the installation
  scripts, and the modified versions of libpwdb, sulogin, and the shadow
  utilities are no longer provided. The relocation of the shadow password
  file was creating compatibility problems with a number of applications
  despite the updatedlibpwdb. A different approach for maintaining a
  separate security context on the shadow password file will be
  implemented in the future.
- The modified versions of rshd and wu-ftpd were removed from the
  distribution and each of these daemons were limited to their initial
  domain in the example policy configuration.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Updated release

[Grant Bayley]

The Australian mirror of this information that I've been keeping is now
updated with the new release, the updated documentation and any new
information in the supplementary pages.  It's available via HTTP and FTP
at the following URLs:

	ftp://ftp.wiretapped.net/wd2a/security/operating-systems/selinux/
	http://the.wiretapped.net/security/operating-systems/selinux/

Grant

-------------------------------------------------------
Grant Bayley                         gbayley@ausmac.net
-IT Manager @ FNL Communications       (www.fnl.com.au)
-Admin @ AusMac Archive, Wiretapped.net, 2600 Australia
 www.ausmac.net   www.wiretapped.net   www.2600.org.au
-------------------------------------------------------


On Fri, 16 Mar 2001, Howard Holm wrote:

> An updated release of Security-enhanced Linux has been posted on the
> NSA web site (www.nsa.gov/selinux).
>

[snip]


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Updated release

[Pete Loscocco]

An updated release of Security-enhanced Linux that corrects some of the
minor problems in the original release has been posted on the NSA web
site (www.nsa.gov/selinux).

Changes include:

- moving the numbers of the new system calls to avoid conflicts
- fixing the buffer overflow problem discovered in the
  find_default_type function in libsecure
- removed extra ';' in policy grammar
- minor adjustments in kernel/flask/Makefile

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.