SuSE

SuSE

[Milos Rancic]

Did anyone work with SELinux & SuSE? The most important thing is how YaSE
works with SELinux.

Best
Milos


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SuSE

[Milos Rancic]

Sorry for replying... YaSE=YaST

Milos




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SUSE

[Russell Coker]

In my talk for the GLLUG yesterday one member of the audience expressed great 
interest in SUSE.  Carsten, how is the SUSE progress going?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SUSE

[Carsten Grohmann]

Am Montag, 20. Januar 2003 00:58 schrieb Russell Coker:
> In my talk for the GLLUG yesterday one member of the audience expressed
> great interest in SUSE.  Carsten, how is the SUSE progress going?

Rather slow than fast. This time I've much to do and to learn, but in the 
next weeks, after an update to SuSE 8.1 it will goes faster. 
The rpms for SuSE on my homepage are not up to date this time.
After the update...

Carsten

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Suse

[Ed Street]

[-- Attachment #1: Type: text/plain, Size: 278 bytes --]

Hello,

 

I received my suse 9.1 cd’s in the mail today and was wondering if we have
anyone working on this distro.

 

Ed

 


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004
 

[-- Attachment #2: Type: text/html, Size: 2057 bytes --]

RE: Suse

[Jaroslaw Nozderko]

Not yet, I'm just going to purchase 9.1...
Waiting for your opinions and observations :)

Regards,
Jarek

Jaroslaw Nozderko
GSM +48 601131870 / Kapsch (22) 6075013
jaroslaw.nozderko@polkomtel.com.pl
IT/CCBS/RS - Analyst Programmer
  
-----Original Message-----
From: Ed Street [mailto:edstreet@street-tek.com]
Sent: Friday, May 14, 2004 12:54 AM
To: 'Selinux'
Subject: Suse


Hello,
 
I received my suse 9.1 cd’s in the mail today and was wondering if we have anyone working on this distro.
 
Ed
 


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse

[Stephen Smalley]

On Thu, 2004-05-13 at 18:53, Ed Street wrote:
> I received my suse 9.1 cd’s in the mail today and was wondering if we
> have anyone working on this distro.

Thomas Bleher has SELinux packages for SuSE 9.0, so they are likely a
good starting point: http://www.cip.ifi.lmu.de/~bleher/selinux/suse/
You may want to just use our upstream .tgz files or the Fedora SRPMs for
the main SELinux packages (checkpolicy, libselinux, policycoreutils,
policy) to get our latest code, and just use his packages for the
patched userland.

Note that I've changed the URL for SuSE SELinux packages in the
selinux-doc README to this location, as his packages seem to be more
up-to-date than the ones provided earlier by Paul Dwerryhouse
(http://leapster.org/linux/selinux/suse/) and Carsten Grohmann is no
longer maintaining SELinux packages for SuSE.  The selinux-doc README
includes URLs for SELinux packages for the various distros that I know
of, i.e. Debian, Fedora Core, Gentoo, and SuSE.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Ed Street]

Hello,

Suse 9.1 uses kernel 2.6 and I'm thinking the 9.0 stuff would be very dated.
The better option may be going with the upstream or the fedora srpm.

Ed

-----Original Message-----
From: Stephen Smalley [mailto:sds@epoch.ncsc.mil] 
Sent: Friday, May 14, 2004 8:20 AM
To: Ed Street
Cc: 'Selinux'
Subject: Re: Suse

On Thu, 2004-05-13 at 18:53, Ed Street wrote:
> I received my suse 9.1 cd’s in the mail today and was wondering if we
> have anyone working on this distro.

Thomas Bleher has SELinux packages for SuSE 9.0, so they are likely a
good starting point: http://www.cip.ifi.lmu.de/~bleher/selinux/suse/
You may want to just use our upstream .tgz files or the Fedora SRPMs for
the main SELinux packages (checkpolicy, libselinux, policycoreutils,
policy) to get our latest code, and just use his packages for the
patched userland.

Note that I've changed the URL for SuSE SELinux packages in the
selinux-doc README to this location, as his packages seem to be more
up-to-date than the ones provided earlier by Paul Dwerryhouse
(http://leapster.org/linux/selinux/suse/) and Carsten Grohmann is no
longer maintaining SELinux packages for SuSE.  The selinux-doc README
includes URLs for SELinux packages for the various distros that I know
of, i.e. Debian, Fedora Core, Gentoo, and SuSE.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004
 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Stephen Smalley]

On Fri, 2004-05-14 at 08:23, Ed Street wrote:
> Suse 9.1 uses kernel 2.6 and I'm thinking the 9.0 stuff would be very dated.
> The better option may be going with the upstream or the fedora srpm.

I think Thomas Bleher was using a 2.6 SELinux kernel, but am not
certain.  But even if he were using the current 2.4 SELinux kernel, it
has the same API (recall that Jim Carter back ported the API changes and
xattr support from 2.6. to 2.4), so the patched userland should work
fine.  It is true that the Fedora SRPMS will have the latest selinux
patches, and that the patches have undergone changes, so it would be
good for Thomas or you to at least check your selinux patches against
the latest ones and see whether it is worthwhile to pull in updated
versions.  We try to keep a core set of patches available for reference
from http://www.nsa.gov/selinux/patches and in the sourceforge CVS tree,
but that is only a subset of the full set of SELinux patches in Fedora
Core 2 devel.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse

[Stephen Smalley]

On Thu, 2004-05-13 at 18:53, Ed Street wrote:
> I received my suse 9.1 cd’s in the mail today and was wondering if we
> have anyone working on this distro.

Actually, you might want to check to see whether the SuSE 9.1 kernel and
userland packages already have SELinux support before replacing them.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Ed Street]

Hello,

As was suspected it appears that suse 9.1 pro (shipping) has all the selinux
userland patches in place but no policy and no kernel support. I see the
same startup in suse 9.1 as I do in fedora fc2t3 so it's disabled.

Ed

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.677 / Virus Database: 439 - Release Date: 5/4/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1494 bytes --]

* Ed Street <edstreet@street-tek.com> [2004-05-15 02:09]:
> As was suspected it appears that suse 9.1 pro (shipping) has all the selinux
> userland patches in place but no policy and no kernel support. I see the
> same startup in suse 9.1 as I do in fedora fc2t3 so it's disabled.

I just glanced over the SuSE 9.1 packages and made the following
observations (Note: didn't test or install anything):
Most relevant packages have SELinux support included. Things that are
still missing: cron, init and util-linux (vipw, chfn, context mount support)

It should not be all too difficult to add the missing pieces by looking
at the Fedora packages and mine for 9.0.
Updating policycoreutils, libselinux and checkpolicy (at version 1.8 in
SuSE 9.1) should be very easy, I just took the fedora packages and
recompiled them on SuSE.

Please note that I will support the SuSE 9.0 packages but won't update
to 9.1 in the forseeable future (6-9 months).

Another thing is policy: The included policy contains some SuSE-specific
cleanup but otherwise is very old (v1.4). I have been working on a proper
policy for SuSE for some time now in the background. It still has some
rough edges which I want to smooth before I submit the policy for
inclusion. If you or anyone else wants an intermediate copy, just drop
me a note!

Thanks,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Suse

[Ed Street]

Hello,

I would be more than happy to give it a spin.  I put it on my mini-itx
machine and maybe buying a micro-atx for suse.  My cd's just arrived a few
days ago and I installed it last night.  I did notice that libselinux and
the basic userland mod's have been included but it's a few versions behind.
Overall I am greatly pleased with this as it's a big step forward for the
project.  

One thing that I'm very displeased over, when doing my 200+ meg updates (yea
200+ already) I noticed that many of the packages are NOT gpg signed by the
maintainers!

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Thomas Bleher
Sent: Saturday, May 15, 2004 7:28 PM
To: 'Selinux'
Subject: Re: Suse

* Ed Street <edstreet@street-tek.com> [2004-05-15 02:09]:
> As was suspected it appears that suse 9.1 pro (shipping) has all the
selinux
> userland patches in place but no policy and no kernel support. I see the
> same startup in suse 9.1 as I do in fedora fc2t3 so it's disabled.

I just glanced over the SuSE 9.1 packages and made the following
observations (Note: didn't test or install anything):
Most relevant packages have SELinux support included. Things that are
still missing: cron, init and util-linux (vipw, chfn, context mount support)

It should not be all too difficult to add the missing pieces by looking
at the Fedora packages and mine for 9.0.
Updating policycoreutils, libselinux and checkpolicy (at version 1.8 in
SuSE 9.1) should be very easy, I just took the fedora packages and
recompiled them on SuSE.

Please note that I will support the SuSE 9.0 packages but won't update
to 9.1 in the forseeable future (6-9 months).

Another thing is policy: The included policy contains some SuSE-specific
cleanup but otherwise is very old (v1.4). I have been working on a proper
policy for SuSE for some time now in the background. It still has some
rough edges which I want to smooth before I submit the policy for
inclusion. If you or anyone else wants an intermediate copy, just drop
me a note!

Thanks,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Ed Street]

Hello,

What is suse 9.1 using for auditing, also how does this affect the eal3+
rating?

Ed

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse

[Russell Coker]

On Sun, 16 May 2004 09:27, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> Another thing is policy: The included policy contains some SuSE-specific
> cleanup but otherwise is very old (v1.4). I have been working on a proper
> policy for SuSE for some time now in the background. It still has some
> rough edges which I want to smooth before I submit the policy for
> inclusion. If you or anyone else wants an intermediate copy, just drop
> me a note!

It's probably best to discuss policy issues on this list as they arise.  If 
you make a posting to the list about 100 different policy issues then some of 
them will get less attention than they deserve.  Also minor stuff can 
probably be merged immediately without any issues.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Ed Street]

Hello,

This is a very good point to bring up. I have an extra machine or 3 here and
can help out in the suse department area :)  From what I've seen so far
adapting policy should be a reasonably simple matter for the most part.

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Russell Coker
Sent: Sunday, May 16, 2004 8:28 PM
To: 'Selinux'
Subject: Re: Suse

On Sun, 16 May 2004 09:27, Thomas Bleher <bleher@informatik.uni-muenchen.de>

wrote:
> Another thing is policy: The included policy contains some SuSE-specific
> cleanup but otherwise is very old (v1.4). I have been working on a proper
> policy for SuSE for some time now in the background. It still has some
> rough edges which I want to smooth before I submit the policy for
> inclusion. If you or anyone else wants an intermediate copy, just drop
> me a note!

It's probably best to discuss policy issues on this list as they arise.  If 
you make a posting to the list about 100 different policy issues then some
of 
them will get less attention than they deserve.  Also minor stuff can 
probably be merged immediately without any issues.


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.686 / Virus Database: 447 - Release Date: 5/14/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Suse

[Stephen Smalley]

On Fri, 2004-05-14 at 18:40, Ed Street wrote:
> As was suspected it appears that suse 9.1 pro (shipping) has all the selinux
> userland patches in place but no policy and no kernel support. I see the
> same startup in suse 9.1 as I do in fedora fc2t3 so it's disabled.

I don't have a copy of SuSE 9.1 myself, but based on a posting to lkml
with the boot messages from the SuSE 9.1 kernel, it looks like the
kernel _does_ include SELinux support, but it is just running in
permissive/no-policy mode.  So you merely need to load a policy, either
via an initrd or by replacing /sbin/init with the SELinux-patched
version.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] some file_contexts for SuSE, binfmt_misc, small cleanup (was: Re: Suse)

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 1409 bytes --]

* Russell Coker <russell@coker.com.au> [2004-05-17 04:17]:
> On Sun, 16 May 2004 09:27, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > Another thing is policy: The included policy contains some SuSE-specific
> > cleanup but otherwise is very old (v1.4). I have been working on a proper
> > policy for SuSE for some time now in the background. It still has some
> > rough edges which I want to smooth before I submit the policy for
> > inclusion. If you or anyone else wants an intermediate copy, just drop
> > me a note!
> 
> It's probably best to discuss policy issues on this list as they arise.  If 
> you make a posting to the list about 100 different policy issues then some of 
> them will get less attention than they deserve.  Also minor stuff can 
> probably be merged immediately without any issues.

This is a very good point.
I just went through my tree and collected the patches (not all
SuSE-specific) which I think can be applied immediately.
The patches are:
* binfmt_misc.patch - add support for mounting the binfmt_misc fs
* file_contexts.patch - add a bunch of file contexts
* cleanup.patch - some very small cleanup and policy additions
The patches should apply cleanly against current CVS.

Thanks,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: binfmt_misc.patch --]
[-- Type: text/plain, Size: 1954 bytes --]

diff -urN orig/domains/program/initrc.te mod/domains/program/initrc.te
--- orig/domains/program/initrc.te	2004-03-23 21:58:08.000000000 +0100
+++ mod/domains/program/initrc.te	2004-05-18 00:56:47.000000000 +0200
@@ -288,6 +288,8 @@
 allow initrc_t sysfs_t:lnk_file { getattr read };
 allow initrc_t udev_runtime_t:file rw_file_perms;
 allow initrc_t device_type:chr_file { setattr };
+allow initrc_t binfmt_misc_fs_t:dir { getattr search };
+allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
 ifdef(`pam.te', `
 allow initrc_t pam_var_run_t:dir rw_dir_perms;
 allow initrc_t pam_var_run_t:file { getattr read unlink };
diff -urN orig/domains/program/mount.te mod/domains/program/mount.te
--- orig/domains/program/mount.te	2004-05-12 14:56:49.000000000 +0200
+++ mod/domains/program/mount.te	2004-05-18 00:56:47.000000000 +0200
@@ -56,6 +56,9 @@
 # On some RedHat systems, /boot is a mount point
 allow mount_t boot_t:dir mounton;
 allow mount_t device_t:dir mounton;
+# mount binfmt_misc on /proc/sys/fs/binfmt_misc
+allow mount_t sysctl_t:dir { mounton search };
+
 ifdef(`devfsd.te', `
 allow mount_t device_t:filesystem { mount unmount };
 ')
diff -urN orig/genfs_contexts mod/genfs_contexts
--- orig/genfs_contexts	2004-05-11 19:55:37.000000000 +0200
+++ mod/genfs_contexts	2004-05-18 00:56:47.000000000 +0200
@@ -96,4 +96,5 @@
 genfscon usbfs / system_u:object_r:usbfs_t
 genfscon nfsd / system_u:object_r:nfsd_fs_t
 genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
+genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
 
diff -urN orig/types/file.te mod/types/file.te
--- orig/types/file.te	2004-05-12 14:56:52.000000000 +0200
+++ mod/types/file.te	2004-05-18 00:56:47.000000000 +0200
@@ -26,6 +26,7 @@
 type usbfs_t, fs_type;
 type nfsd_fs_t, fs_type;
 type rpc_pipefs_t, fs_type;
+type binfmt_misc_fs_t, fs_type;
 
 #
 # file_t is the default type of a file that has not yet been

[-- Attachment #1.3: file_contexts.patch --]
[-- Type: text/plain, Size: 6972 bytes --]

diff -ur orig/file_contexts/program/ipsec.fc mod/file_contexts/program/ipsec.fc
--- orig/file_contexts/program/ipsec.fc	2004-03-03 21:53:52.000000000 +0100
+++ mod/file_contexts/program/ipsec.fc	2004-05-18 00:39:56.000000000 +0200
@@ -17,3 +17,7 @@
 /usr/local/sbin/ipsec	--	system_u:object_r:ipsec_mgmt_exec_t
 /var/run/ipsec\.info		system_u:object_r:ipsec_var_run_t
 /var/run/pluto\.ctl		system_u:object_r:ipsec_var_run_t
+
+# Kame
+/usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
+/usr/sbin/setkey	--	system_u:object_r:ipsec_exec_t
diff -ur orig/file_contexts/program/iptables.fc mod/file_contexts/program/iptables.fc
--- orig/file_contexts/program/iptables.fc	2004-02-02 16:17:23.000000000 +0100
+++ mod/file_contexts/program/iptables.fc	2004-05-18 00:39:56.000000000 +0200
@@ -2,3 +2,7 @@
 /sbin/ipchains.*	--	system_u:object_r:iptables_exec_t
 /sbin/iptables.* 	--	system_u:object_r:iptables_exec_t
 /sbin/ip6tables.*	--	system_u:object_r:iptables_exec_t
+/usr/sbin/ipchains.*	--	system_u:object_r:iptables_exec_t
+/usr/sbin/iptables.* 	--	system_u:object_r:iptables_exec_t
+/usr/sbin/ip6tables.*	--	system_u:object_r:iptables_exec_t
+
diff -ur orig/file_contexts/program/logrotate.fc mod/file_contexts/program/logrotate.fc
--- orig/file_contexts/program/logrotate.fc	2004-03-03 21:53:52.000000000 +0100
+++ mod/file_contexts/program/logrotate.fc	2004-05-18 00:39:56.000000000 +0200
@@ -1,6 +1,7 @@
 # logrotate
 /usr/sbin/logrotate	--	system_u:object_r:logrotate_exec_t
 /usr/sbin/logcheck	--	system_u:object_r:logrotate_exec_t
+/usr/bin/savelog	--	system_u:object_r:logrotate_exec_t
 /etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
 /var/lib(64)?/logrotate.status --	system_u:object_r:logrotate_var_lib_t
 /var/lib(64)?/logcheck(/.*)?		system_u:object_r:logrotate_var_lib_t
diff -ur orig/file_contexts/program/lpd.fc mod/file_contexts/program/lpd.fc
--- orig/file_contexts/program/lpd.fc	2004-04-07 19:14:04.000000000 +0200
+++ mod/file_contexts/program/lpd.fc	2004-05-18 00:39:56.000000000 +0200
@@ -3,6 +3,7 @@
 /dev/lp.*		-c	system_u:object_r:printer_device_t
 /dev/par.*		-c	system_u:object_r:printer_device_t
 /dev/usb/lp.*		-c	system_u:object_r:printer_device_t
+/dev/usblp.*		-c	system_u:object_r:printer_device_t
 /usr/sbin/lpd		--	system_u:object_r:lpd_exec_t
 /usr/sbin/checkpc	--	system_u:object_r:checkpc_exec_t
 /var/spool/lpd(/.*)?		system_u:object_r:print_spool_t
diff -ur orig/file_contexts/program/restorecon.fc mod/file_contexts/program/restorecon.fc
--- orig/file_contexts/program/restorecon.fc	2004-03-08 21:45:32.000000000 +0100
+++ mod/file_contexts/program/restorecon.fc	2004-05-18 00:39:56.000000000 +0200
@@ -1,2 +1,3 @@
 # restorecon
 /usr/sbin/restorecon	--	system_u:object_r:restorecon_exec_t
+/sbin/restorecon	--	system_u:object_r:restorecon_exec_t
diff -ur orig/file_contexts/program/rpm.fc mod/file_contexts/program/rpm.fc
--- orig/file_contexts/program/rpm.fc	2004-05-05 09:36:29.000000000 +0200
+++ mod/file_contexts/program/rpm.fc	2004-05-18 00:39:56.000000000 +0200
@@ -52,3 +52,8 @@
 /usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
 /usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
 /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+# SuSE
+/usr/bin/online_update		--	system_u:object_r:rpm_exec_t
+/sbin/yast2			--	system_u:object_r:rpm_exec_t
+/var/lib/YaST2(/.*)?			system_u:object_r:rpm_var_lib_t
+
diff -ur orig/file_contexts/program/screen.fc mod/file_contexts/program/screen.fc
--- orig/file_contexts/program/screen.fc	2004-03-09 16:31:36.000000000 +0100
+++ mod/file_contexts/program/screen.fc	2004-05-18 00:39:56.000000000 +0200
@@ -3,3 +3,7 @@
 HOME_DIR/\.screenrc	--	system_u:object_r:ROLE_home_screen_t
 /var/run/screen/S-[^/]+	-d	system_u:object_r:screen_dir_t
 /var/run/screen/S-[^/]+/.*	<<none>>
+# SuSE puts this under /tmp ...
+/tmp/uscreens		-d	system_u:object_r:var_run_t
+/tmp/uscreens/S-[^/]+	-d	system_u:object_r:screen_dir_t
+/tmp/uscreens/S-[^/]+/.*	<<none>>
diff -ur orig/file_contexts/program/xdm.fc mod/file_contexts/program/xdm.fc
--- orig/file_contexts/program/xdm.fc	2004-03-17 19:26:06.000000000 +0100
+++ mod/file_contexts/program/xdm.fc	2004-05-18 00:39:56.000000000 +0200
@@ -1,6 +1,7 @@
 # X Display Manager
 /usr/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
 /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
+/opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
@@ -11,9 +12,8 @@
 /etc/X11/wdm(/.*)?		system_u:object_r:xdm_rw_etc_t
 /etc/X11/wdm/Xsetup.*	--	system_u:object_r:xsession_exec_t
 /etc/X11/wdm/Xstartup.*	--	system_u:object_r:xsession_exec_t
-/etc/X11/wdm/Xreset.*	--	system_u:object_r:xsession_exec_t
-/etc/X11/wdm/Xsession	--	system_u:object_r:xsession_exec_t
-/etc/X11/xdm/Xsession	--	system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xreset.*	--	system_u:object_r:xsession_exec_t
+/etc/X11/[wx]dm/Xsession	--	system_u:object_r:xsession_exec_t
 /etc/kde/kdm/Xsession	--	system_u:object_r:xsession_exec_t
 /var/run/xdmctl(/.*)?		system_u:object_r:xdm_var_run_t
 /var/run/console.*		system_u:object_r:xdm_var_run_t
@@ -30,7 +30,8 @@
 #
 # Rules for kde login
 #
-/etc/kde/kdm/Xstartup   --		system_u:object_r:bin_t
-/etc/kde/kdm/Xreset     --		system_u:object_r:bin_t
-/etc/kde/kdm/backgroundrc	system_u:object_r:xdm_var_run_t
+/etc/kde3?/kdm/Xstartup   --		system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xreset     --		system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/Xsession		--	system_u:object_r:xsession_exec_t
+/etc/kde3?/kdm/backgroundrc	system_u:object_r:xdm_var_run_t
 /usr/lib(64)?/qt-3.2/etc/settings(/.*)?	system_u:object_r:xdm_var_run_t
diff -ur orig/file_contexts/types.fc mod/file_contexts/types.fc
--- orig/file_contexts/types.fc	2004-05-05 09:36:29.000000000 +0200
+++ mod/file_contexts/types.fc	2004-05-18 00:39:56.000000000 +0200
@@ -58,6 +58,7 @@
 #
 # A common mount point
 /mnt(/.*)?		-d	system_u:object_r:mnt_t
+/media(/.*)?		-d	system_u:object_r:mnt_t
 
 #
 # /var
@@ -214,6 +215,9 @@
 /sys(/.*)?			<<none>>
 /selinux(/.*)?			<<none>>
 /opt(/.*)?			system_u:object_r:usr_t
+/opt/[^/]*/bin(/.*)?		system_u:object_r:bin_t
+/opt/[^/]*/lib(/.*)?		system_u:object_r:lib_t
+/opt/[^/]*/man(/.*)?		system_u:object_r:man_t
 
 #
 # /etc
@@ -277,6 +281,7 @@
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
+/usr/share/texmf/teTeX/bin(/.*)?	system_u:object_r:bin_t
 
 #
 # /usr/bin
@@ -373,6 +378,7 @@
 #
 /usr/X11R6/lib(64)?/X11/fonts(/.*)?		system_u:object_r:fonts_t
 /usr/share/fonts(/.*)?			system_u:object_r:fonts_t
+/usr/local/share/fonts(/.*)?		system_u:object_r:fonts_t
 
 #
 # /var/run

[-- Attachment #1.4: cleanup.patch --]
[-- Type: text/plain, Size: 1670 bytes --]

--- orig/domains/program/unused/dbusd.te
+++ mod/domains/program/unused/dbusd.te
@@ -11,7 +11,8 @@
 allow dbusd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow dbusd_t etc_t:file { getattr read };
-allow dbusd_t self:capability { setgid setuid };
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+allow dbusd_t self:capability { setgid setuid dac_override };
 
 # I expect we need more than this
 allow { dbus_client_domain userdomain } dbusd_var_run_t:dir search;
--- orig/macros/global_macros.te
+++ mod/macros/global_macros.te
@@ -43,8 +43,10 @@
 ##################################
 # read_sysctl(domain)
 #
-# Permissions for reading the locale data,
-# /etc/localtime and the files that it links to
+# Permissions for reading sysctl variables.
+# If the second parameter is 'full', allow
+# reading of any sysctl variables, else only
+# sysctl_kernel_t.
 #
 define(`read_sysctl', `
 # Read system variables in /sys.
 
--- orig/domains/program/unused/inetd.te
+++ mod/domains/program/inetd.te
@@ -118,7 +119,9 @@
 dontaudit inetd_child_t krb5_conf_t:file write;
 allow inetd_child_t urandom_device_t:chr_file { getattr read };
 
+ifdef(`unconfined.te', `
 domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
+')
 
 ifdef(`unlimitedServices', `
 unconfined_domain(inetd_t) 
--- orig/domains/program/unused/rpm.te
+++ mod/domains/program/rpm.te
@@ -208,7 +208,7 @@
 can_exec(rpm_script_t, usr_t)
 
 allow rpm_t mount_t:tcp_socket { write };
-rw_dir_file(rpm_t, nfs_t)
+create_dir_file(rpm_t, nfs_t)
 allow rpm_t nfs_t:filesystem getattr;
 
 allow rpm_script_t userdomain:fd use;

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] some file_contexts for SuSE, binfmt_misc, small cleanup (was: Re: Suse)

[Russell Coker]

On Tue, 18 May 2004 09:13, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> This is a very good point.
> I just went through my tree and collected the patches (not all
> SuSE-specific) which I think can be applied immediately.
> The patches are:
> * binfmt_misc.patch - add support for mounting the binfmt_misc fs
> * file_contexts.patch - add a bunch of file contexts
> * cleanup.patch - some very small cleanup and policy additions
> The patches should apply cleanly against current CVS.

I think that we want to avoid file contexts for /tmp as much as possible.  I 
have removed the reference to /tmp from the file_contexts patch, but have 
applied everything else to my tree.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] some file_contexts for SuSE, binfmt_misc, small cleanup (was: Re: Suse)

[Luke Kenneth Casson Leighton]

On Tue, May 18, 2004 at 01:13:18AM +0200, Thomas Bleher wrote:

> This is a very good point.
> I just went through my tree and collected the patches (not all
> SuSE-specific) which I think can be applied immediately.
> The patches are:
> * binfmt_misc.patch - add support for mounting the binfmt_misc fs
> * file_contexts.patch - add a bunch of file contexts
> * cleanup.patch - some very small cleanup and policy additions
> The patches should apply cleanly against current CVS.
 
 yes they do.  ta.

 more, more!

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suse

[Thorsten Kukuk]

On Sun, May 16, Ed Street wrote:

> Hello,
> 
> What is suse 9.1 using for auditing, also how does this affect the eal3+
> rating?

It does not. There are no plans for ealXX for our box product. Only
for the Enterprise Server.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Maxfeldstr. 5                 D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.