success story

success story

[Tom]

thanks to the incredible work done by everyone involved, especially
russel coker, I've been able to run avc_toggle for the first time ever
without making the system come to a screetching halt. even better, sshd
and apache continued to run just fine (postfix and proftpd didn't, but
hey, I need something to do tomorrow, too :) ).

I've had a bunch of cron errors, and a few other messages, so I've
rebooted back into permissive mode to fix this first. should I post the
audit messages I received here, or somewhere else? this is a woody
system with russel's packages and policy, but maybe other people are
interested in the results, too?


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: success story

[Russell Coker]

On Wed, 28 Aug 2002 14:56, Tom wrote:
> thanks to the incredible work done by everyone involved, especially
> russel coker, I've been able to run avc_toggle for the first time ever
> without making the system come to a screetching halt. even better, sshd
> and apache continued to run just fine (postfix and proftpd didn't, but
> hey, I need something to do tomorrow, too :) ).

Please try my latest policy on http://www.coker.com.au/selinux/policy.tgz 
which will be in my next Debian package.  It has some changes to the Postfix 
policy that might address your problems.  As for proftpd, it should work 
already, please send me the errors off-list.

Also when installing the new policy you'll have to relabel the root file 
system and reboot, the changes are significant.

> I've had a bunch of cron errors, and a few other messages, so I've
> rebooted back into permissive mode to fix this first. should I post the
> audit messages I received here, or somewhere else? this is a woody
> system with russel's packages and policy, but maybe other people are
> interested in the results, too?

I think that I'm the only person who's interested in seeing error messages 
resulting from my policy, especially from the previous version which was 
quite different from the NSA release.  My next version will be very close to 
the CVS tree on Sourceforce when it's released, and I hope that at the time 
of the next NSA release my tree will not have any significant differences 
from the NSA tree.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: success story

[Tom]

On Wed, Aug 28, 2002 at 03:35:57PM +0200, Russell Coker wrote:
> Please try my latest policy on http://www.coker.com.au/selinux/policy.tgz 

oops, I didn't know you release them daily. :)

mine was from last week or so. I installed your latest one and indeed,
proftpd works great. there are still some postfix errors. I'll have a
better look tomorrow.



-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: success story

[Russell Coker]

On Wed, 28 Aug 2002 16:54, Tom wrote:
> On Wed, Aug 28, 2002 at 03:35:57PM +0200, Russell Coker wrote:
> > Please try my latest policy on http://www.coker.com.au/selinux/policy.tgz
>
> oops, I didn't know you release them daily. :)

I don't "release" them daily.  That URL is for non-release versions, 
development snapshots.  "Release" versions are in Debian packages and can be 
downloaded through apt-get.

> mine was from last week or so. I installed your latest one and indeed,

OK, I was under the impression that you had an older one than that.

> proftpd works great. there are still some postfix errors. I'll have a
> better look tomorrow.

I look forward to it.  Although please make sure that you have the correct 
labels on files, the postfix.fc has changed a bit recently...

Postfix is very complex and it's difficult to get right.  :(

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.