audit2allow successfully got rid of the avc errors

audit2allow successfully got rid of the avc errors

[Luke Kenneth Casson Leighton]

hooray!  okay, i'm a step closer to being able to switch on selinux=1.

recompiling and installing the selinux patched 2.6.6 kernel
on both the build and target system did the trick.

hm.

that's taken up like about... a week, maybe more, just finding that
out.

... is there any way of adding in version detection, to throw up a
really blatant and repetitive in-yer-face warning, say, on every
single avc message, that says something along the lines of 
"your policy version is 17, this kernel supports version 15;
your userspace tools were built with kernel version 2.6.4, this
is kernel version 2.6.6; you can expect some things to fail.
go away and rebuild".

or at the very least, the versioning rules need to be enforced
in the packaging (yes i realise how much of a pain that'd be).

meta-packages could do the trick.

meta package named selinux-2.6.6 with dependencies on
kernel-image-2.6.6-1-386 | kernel-image-2.6.6-1-686 |
kernel-image-2.6.6-1-k7 etc. and on
policycoreutils-2.6.6 etc.

because that's what's effectively needed, isn't it?

and then the build dependencies specifically need to
be on kernel-image-2.6.6-1-XXX as well.

l.

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: audit2allow successfully got rid of the avc errors

[Russell Coker]

On Wed, 19 May 2004 06:36, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> ... is there any way of adding in version detection, to throw up a
> really blatant and repetitive in-yer-face warning, say, on every
> single avc message, that says something along the lines of
> "your policy version is 17, this kernel supports version 15;
> your userspace tools were built with kernel version 2.6.4, this
> is kernel version 2.6.6; you can expect some things to fail.
> go away and rebuild".

That is not required.  I think that I have tested all viable combinations of 
kernel and policy version and never had a problem.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.