Problem with defaulting answers to selinux-policy-default

Problem with defaulting answers to selinux-policy-default

[Dale Amon]

[-- Attachment #0: Type: message/rfc822, Size: 2519 bytes --]

From: Dale Amon <amon@vnl.com>
To: selinux@tycho.nsa.gov
Subject: Problem with defaulting answers to selinux-policy-default
Date: Fri, 6 Feb 2004 21:51:14 +0000
Message-ID: <20040206215114.GJ21675@vnl.com>

I think Russell is again buried in email and work, so
perhaps someone else can make a suggestion. It is probably
something simple I would have known about if I had not
been off on the road. I've a few hours here and there
over the next week or so (maybe) so I wanted to try to
get this working again:


As you probably remember, I use a set of build scripts
to do this all completely hands off. It looks like 
something broke them again while I was off doing other
jobs. I see the following:

-------
Using policy installation method "Semi-Automatic"
Copying the sample /usr/share/selinux/policy/current directory from
/usr/share/selinux/policy/default
Removal of unwanted policy files
Removing "current/domains/program/gnome-pty-helper.te"
Include "Checkpolicy - SELinux policy compliler" (current/domains/program/checkpolicy.te) in policy?
 (References known installed packages: checkpolicy)
 Yes/No/Display/Background [Y/n/d/b]? 

-------

but I shouldn't be seeing it at all because the install
is being done with this line:

"${CHROOT_BIN}"/yes "" | PRIORITY=low DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get -qqqqq -y install "$name" > /dev/null

where in this case $name is selinux-policy-default.

Any idea what I now have to do to make this line
just unconditionally *do it* and not ask silly
questions? Keep in mind that the install is to a
de novo system, a freshly created loopback file.

Either something of mine has died of bitrot in the
last 2 months while I was doing other things, or
something has changed in the way this package
installs.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with defaulting answers to selinux-policy-default

[Russell Coker]

On Mon, 9 Feb 2004 03:32, Dale Amon <amon@vnl.com> wrote:
> I think Russell is again buried in email and work, so

Sorry for the delay.

> Using policy installation method "Semi-Automatic"
> Copying the sample /usr/share/selinux/policy/current directory from
> /usr/share/selinux/policy/default
> Removal of unwanted policy files
> Removing "current/domains/program/gnome-pty-helper.te"
> Include "Checkpolicy - SELinux policy compliler"
> (current/domains/program/checkpolicy.te) in policy? (References known
> installed packages: checkpolicy)
>  Yes/No/Display/Background [Y/n/d/b]?

What I probably need to do is to have a debconf setting allowing you to say 
"c" to all questions about policy changes, and then get Colin's code working 
for installing new .te files IFF they are needed.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with defaulting answers to selinux-policy-default

[Dale Amon]

On Mon, Feb 09, 2004 at 04:02:48PM +1100, Russell Coker wrote:
> Sorry for the delay.

You've got a great deal on your plate... I run into your
trail all over opensourcistan.... :-)
 
> > Using policy installation method "Semi-Automatic"
> > Copying the sample /usr/share/selinux/policy/current directory from
> > /usr/share/selinux/policy/default
> > Removal of unwanted policy files
> > Removing "current/domains/program/gnome-pty-helper.te"
> > Include "Checkpolicy - SELinux policy compliler"
> > (current/domains/program/checkpolicy.te) in policy? (References known
> > installed packages: checkpolicy)
> >  Yes/No/Display/Background [Y/n/d/b]?
> 
> What I probably need to do is to have a debconf setting allowing you to say 
> "c" to all questions about policy changes, and then get Colin's code working 
> for installing new .te files IFF they are needed.

I still don't really understand though why my

	yes "" | <etc>

didn't cause the default Y answer to be taken. I will
naturally take a closer look at my own scripts to see
if anything broke, but I do not remember doing anything
that should have affected this.

(Of course anything that makes it easier for me to
 build my from scratch test systems is welcome!)

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with defaulting answers to selinux-policy-default

[Dale Amon]

Had some time this weekend and I'm making some progress
on fixing my scripts to deal with the changes. I did a
bit of handwaving with debconf-loadtemplate and 
debconf-configure to sort things out...

I get an error in the Automatic build though:

ERROR 'unknown type klogd_t' at token ';' on line 39546:
neverallow ~klogd_t proc_kmsg_t:file ~{ getattr };

So I punt this one into Russell's Endzone...

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with defaulting answers to selinux-policy-default

[Russell Coker]

On Sun, 15 Feb 2004 02:51, Dale Amon <amon@vnl.com> wrote:
> Had some time this weekend and I'm making some progress
> on fixing my scripts to deal with the changes. I did a
> bit of handwaving with debconf-loadtemplate and
> debconf-configure to sort things out...
>
> I get an error in the Automatic build though:
>
> ERROR 'unknown type klogd_t' at token ';' on line 39546:
> neverallow ~klogd_t proc_kmsg_t:file ~{ getattr };

You should have klogd.te included.  I'll have to change the policy package to 
not allow you to deselect such files.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problem with defaulting answers to selinux-policy-default

[Dale Amon]

On Sun, Feb 15, 2004 at 03:18:45AM +1100, Russell Coker wrote:
> You should have klogd.te included.  I'll have to change the policy package to 
> not allow you to deselect such files.

Here's where it is happening:

Using policy installation method "Automatic"
Copying the sample /usr/share/selinux/policy/current directory from
/usr/share/selinux/policy/default
Removal of unwanted policy files
Removing "current/domains/program/gnome-pty-helper.te"
Keeping "current/domains/program/checkpolicy.te"
Keeping "current/domains/program/chkpwd.te"
Keeping "current/domains/program/crond.te"
Keeping "current/domains/program/crontab.te"
Keeping "current/domains/program/fsadm.te"
Keeping "current/domains/program/getty.te"
Keeping "current/domains/program/ifconfig.te"
Keeping "current/domains/program/init.te"
Keeping "current/domains/program/initrc.te"
Removing "current/domains/program/klogd.te"
Keeping "current/domains/program/ldconfig.te"
Keeping "current/domains/program/load_policy.te"
Keeping "current/domains/program/login.te"


-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.