SELinux on Debian (Sid)

SELinux on Debian (Sid)

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 1601 bytes --]

I have run into some problems with getting a Debian box up and running
with SELinux. Maybe someone can offer some insights?

Installing selinux-default-policy failed, make complains about 'chsid'
not being present. These are the problems I run into when trying to
complete the installation of the policies:

 1. The makefile in /etc/selinux uses 'chsid'. This is the line:

      chsid system_u:object_r:policy_config_t /ss_policy

    Apparently that tool has been replaced by 'chcon'.

      chcon -u system_u -r object_r -t policy_config_t /ss_policy

    On a standard kernel this gave the following error message:
      
      chcon: invalid security context

 2. The path to 'load_policy' is wrong in /etc/selinux/Makefile it now
    lives in /usr/sbin rather than /usr/bin. Also the variable
    LOADPOLICY isn't used at all, instead every reference to
    'load_policy' is written like this:

      $(BINDIR)/load_policy

    A little silly (-:

 3. 'make relabel' fails on a standard kernel:

      load_policy: security_load_policy failed

    After rebooting using my SE-kernel 'make relabel' also fails:

      security:  policydb magic number 0x8 does not match expected magic number 0xf97cff8c
      load_policy: security_load_policy failed

Now I am stuck :-( I simply don't know where to look for a thread to
pull to clean up the mess.

/M

-- 
Magnus Therning  mailto:therning@sourceforge.natlab.research.philips.com
+31-40-2745179  http://pww.innersource.philips.com/magnus/
OpenPGP:0x4FBB2C40

X-Windows: ...The art of incompetence. 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

ha ha, another debian victiiim .

0) make sure you're really a debian/unstable (apt-get dist-upgrade?)

1) install, at your own risk of course, the 2.6.6-selinux1 kernel
from http://hands.com/~lkcl/selinux.

2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list

3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list

4) DO install the (probably downgraded) cron, logrotate, coreutils etc.
   from /walters
   
5) use the 1.12 .debs for libselinux1 and selinux-policy-default
   and selinux-utils policycoreutils etc. they are the latest and they
   ARE in [ftp/http].*.debian.org

6) once you have installed the 1.12 selinux-policy-default and stuff,
   YOU MUST go to http://sf.net/projects/selinux and download a
   replacement genhomedircon from the
   selinux-usr/policycoreutils//scripts/ directory.

   the version presently released is brain-dead and does something
   different and unexpected.

i recommend you clean out everything you can find prior to doing all
this.

i ALSO recommend that you DO NOT install SE/Linux on an ext2 filesystem.

make sure you use ext3 for all partitions (well, i get away with /boot
as an ext2) how do i put this this is REALLY IMPORTANT there is a bug
somewhere in the extended attributes stuff and i got a repeatable and
quite seriously corrupted filesystem.

if you really really can't get it to work let me know and i can upload
a set of pre-installed tar.gz'd partitions which only come to 124 mbytes
total, there are only about 160 packages preinstalled.

l.

On Wed, Jun 09, 2004 at 04:44:04PM +0200, Magnus Therning wrote:
> I have run into some problems with getting a Debian box up and running
> with SELinux. Maybe someone can offer some insights?
> 
> Installing selinux-default-policy failed, make complains about 'chsid'
> not being present. These are the problems I run into when trying to
> complete the installation of the policies:
> 
>  1. The makefile in /etc/selinux uses 'chsid'. This is the line:
> 
>       chsid system_u:object_r:policy_config_t /ss_policy
> 
>     Apparently that tool has been replaced by 'chcon'.
> 
>       chcon -u system_u -r object_r -t policy_config_t /ss_policy
> 
>     On a standard kernel this gave the following error message:
>       
>       chcon: invalid security context
> 
>  2. The path to 'load_policy' is wrong in /etc/selinux/Makefile it now
>     lives in /usr/sbin rather than /usr/bin. Also the variable
>     LOADPOLICY isn't used at all, instead every reference to
>     'load_policy' is written like this:
> 
>       $(BINDIR)/load_policy
> 
>     A little silly (-:
> 
>  3. 'make relabel' fails on a standard kernel:
> 
>       load_policy: security_load_policy failed
> 
>     After rebooting using my SE-kernel 'make relabel' also fails:
> 
>       security:  policydb magic number 0x8 does not match expected magic number 0xf97cff8c
>       load_policy: security_load_policy failed
> 
> Now I am stuck :-( I simply don't know where to look for a thread to
> pull to clean up the mess.
> 
> /M
> 
> -- 
> Magnus Therning  mailto:therning@sourceforge.natlab.research.philips.com
> +31-40-2745179  http://pww.innersource.philips.com/magnus/
> OpenPGP:0x4FBB2C40
> 
> X-Windows: ...The art of incompetence. 



-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Thu, 10 Jun 2004 03:50, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> 2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list
>
> 3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list

Colin has not been working on his for quite some time.  Why would you want to 
use a repository with old versions that is not being maintained instead of a 
repository that is actively maintained with the latest versions?

> 4) DO install the (probably downgraded) cron, logrotate, coreutils etc.
>    from /walters

Why not install the latest versions of cron, logrotate, coreutils etc from my 
repository which requires no special effort as they are a minor sub-version 
greater than the versions in Debian/unstable?

> 5) use the 1.12 .debs for libselinux1 and selinux-policy-default
>    and selinux-utils policycoreutils etc. they are the latest and they
>    ARE in [ftp/http].*.debian.org

They are also only tested with the latest versions of the packages from my 
site, not from the /walters repository.

> 6) once you have installed the 1.12 selinux-policy-default and stuff,
>    YOU MUST go to http://sf.net/projects/selinux and download a
>    replacement genhomedircon from the
>    selinux-usr/policycoreutils//scripts/ directory.
>
>    the version presently released is brain-dead and does something
>    different and unexpected.

I've uploaded a new policycoreutils package that fixes this, along with a new 
policy source package to match.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Thu, 10 Jun 2004 00:44, Magnus Therning <magnus-work@therning.org> wrote:
> Installing selinux-default-policy failed, make complains about 'chsid'
> not being present. These are the problems I run into when trying to
> complete the installation of the policies:

Sounds like you have old SE Linux, that is ancient and no longer being 
supported.  It is only supported to kernel 2.4.21 upstream and 2.4.22 on my 
web site (in the section that is no longer maintained).  I strongly recommend 
the new SE Linux.

>  3. 'make relabel' fails on a standard kernel:
>
>       load_policy: security_load_policy failed
>
>     After rebooting using my SE-kernel 'make relabel' also fails:
>
>       security:  policydb magic number 0x8 does not match expected magic
> number 0xf97cff8c load_policy: security_load_policy failed

Sounds like you have new SE Linux in the kernel and old SE Linux in the 
utilities.  Don't use the packages in woody.  Start with Brian's back-ports 
if you want to use SE Linux in woody, but they haven't been maintained for a 
while either.  It's best to use Debian/unstable (the next version of Debian 
will be out soon so there seems little point in starting with the old version 
now).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 2732 bytes --]

I forgot to mention the contents of my /etc/apt/sources.list:

 deb http://ftp.uk.debian.org/debian/ testing main non-free contrib
 deb http://ftp.uk.debian.org/debian-non-US testing/non-US main contrib non-free

 deb http://ftp.uk.debian.org/debian/ unstable main non-free contrib
 deb http://ftp.uk.debian.org/debian-non-US sid/non-US main contrib non-free

 deb http://www.coker.com.au/newselinux/ ./

This together with the following line in /etc/apt/apt.conf should give
me a Sid system:

 APT::Default-Release "unstable";

I did a 'apt-get update' and a 'apt-get dist-upgrade' after this.

On Thu, Jun 10, 2004 at 06:17:28PM +1000, Russell Coker wrote:
>On Thu, 10 Jun 2004 00:44, Magnus Therning <magnus-work@therning.org> wrote:
>> Installing selinux-default-policy failed, make complains about
>> 'chsid' not being present. These are the problems I run into when
>> trying to complete the installation of the policies:
>
>Sounds like you have old SE Linux, that is ancient and no longer being
>supported.  It is only supported to kernel 2.4.21 upstream and 2.4.22
>on my web site (in the section that is no longer maintained).  I
>strongly recommend the new SE Linux.

The selinux-default-policy came from the apt-repository mentioned above.

My initial attempt to get things working was a few weeks ago, and then I
had even more problems, that time with the Makefile not being able to
handle the output from 'checkpolicy' (a cut -f 1 -d ' ' was needed).
This was apparently fixed.

>>  3. 'make relabel' fails on a standard kernel:
>>
>>       load_policy: security_load_policy failed
>>
>>     After rebooting using my SE-kernel 'make relabel' also fails:
>>
>>       security:  policydb magic number 0x8 does not match expected magic
>> number 0xf97cff8c load_policy: security_load_policy failed
>
>Sounds like you have new SE Linux in the kernel and old SE Linux in the
>utilities.  Don't use the packages in woody.  Start with Brian's
>back-ports if you want to use SE Linux in woody, but they haven't been
>maintained for a while either.  It's best to use Debian/unstable (the
>next version of Debian will be out soon so there seems little point in
>starting with the old version now).

Again all packages come from your repository.

I'll take a look at it again later today, to see if there has been any
new packages uploaded since my last attempt.

/M

-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

Certum est, quia impossibile. (It is certain, because it is impossible.)
     -- Tertullianus

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid)

[Magnus Therning]

[-- Attachment #1: Type: text/plain, Size: 4744 bytes --]

On Wed, Jun 09, 2004 at 05:50:01PM +0000, Luke Kenneth Casson Leighton wrote:
>ha ha, another debian victiiim .
>
>0) make sure you're really a debian/unstable (apt-get dist-upgrade?)

Done!

>1) install, at your own risk of course, the 2.6.6-selinux1 kernel
>from http://hands.com/~lkcl/selinux.

I compiled one myself. Didn't manage to google my way to any pre-built
(also checked apt-get.org, why isn't it mentioned there?).

I seem to have succeeded in compiling the kernel properly, but I'll give
this one a shot anyway.

>2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list
>
>3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list

I followed the instructions in the HOWTO I found on the SF project. It
mentions Russel Coker's repository.

>4) DO install the (probably downgraded) cron, logrotate, coreutils etc.
>   from /walters
>   
>5) use the 1.12 .debs for libselinux1 and selinux-policy-default
>   and selinux-utils policycoreutils etc. they are the latest and they
>   ARE in [ftp/http].*.debian.org
>
>6) once you have installed the 1.12 selinux-policy-default and stuff,
>   YOU MUST go to http://sf.net/projects/selinux and download a
>   replacement genhomedircon from the
>   selinux-usr/policycoreutils//scripts/ directory.
>
>   the version presently released is brain-dead and does something
>   different and unexpected.
>
>i recommend you clean out everything you can find prior to doing all
>this.
>
>i ALSO recommend that you DO NOT install SE/Linux on an ext2 filesystem.

Ah, this I did do... Not too much of a problem to fix though.

>make sure you use ext3 for all partitions (well, i get away with /boot
>as an ext2) how do i put this this is REALLY IMPORTANT there is a bug
>somewhere in the extended attributes stuff and i got a repeatable and
>quite seriously corrupted filesystem.
>
>if you really really can't get it to work let me know and i can upload
>a set of pre-installed tar.gz'd partitions which only come to 124
>mbytes total, there are only about 160 packages preinstalled.

Thanks!

I'll be in touch with updates :-)

>On Wed, Jun 09, 2004 at 04:44:04PM +0200, Magnus Therning wrote:
>> I have run into some problems with getting a Debian box up and running
>> with SELinux. Maybe someone can offer some insights?
>> 
>> Installing selinux-default-policy failed, make complains about 'chsid'
>> not being present. These are the problems I run into when trying to
>> complete the installation of the policies:
>> 
>>  1. The makefile in /etc/selinux uses 'chsid'. This is the line:
>> 
>>       chsid system_u:object_r:policy_config_t /ss_policy
>> 
>>     Apparently that tool has been replaced by 'chcon'.
>> 
>>       chcon -u system_u -r object_r -t policy_config_t /ss_policy
>> 
>>     On a standard kernel this gave the following error message:
>>       
>>       chcon: invalid security context
>> 
>>  2. The path to 'load_policy' is wrong in /etc/selinux/Makefile it now
>>     lives in /usr/sbin rather than /usr/bin. Also the variable
>>     LOADPOLICY isn't used at all, instead every reference to
>>     'load_policy' is written like this:
>> 
>>       $(BINDIR)/load_policy
>> 
>>     A little silly (-:
>> 
>>  3. 'make relabel' fails on a standard kernel:
>> 
>>       load_policy: security_load_policy failed
>> 
>>     After rebooting using my SE-kernel 'make relabel' also fails:
>> 
>>       security:  policydb magic number 0x8 does not match expected magic number 0xf97cff8c
>>       load_policy: security_load_policy failed
>> 
>> Now I am stuck :-( I simply don't know where to look for a thread to
>> pull to clean up the mess.
>> 
>> /M
>> 
>> -- 
>> Magnus Therning  mailto:therning@sourceforge.natlab.research.philips.com
>> +31-40-2745179  http://pww.innersource.philips.com/magnus/
>> OpenPGP:0x4FBB2C40
>> 
>> X-Windows: ...The art of incompetence. 
>
>
>
>-- 
>-- 
>expecting email to be received and understood is a bit like
>picking up the telephone and immediately dialing without
>checking for a dial-tone; speaking immediately without listening
>for either an answer or ring-tone; hanging up immediately and
>believing that you have actually started a conversation.
>--
><a href="http://lkcl.net">      lkcl.net      </a> <br />
><a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
>

-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

People who don't make mistakes make the greatest mistake of all;
they do nothing.
     -- Unknown

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux on Debian (Sid)

[Russell Coker]

On Thu, 10 Jun 2004 22:03, Magnus Therning <magnus-work@therning.org> wrote:
> >Sounds like you have old SE Linux, that is ancient and no longer being
> >supported.  It is only supported to kernel 2.4.21 upstream and 2.4.22
> >on my web site (in the section that is no longer maintained).  I
> >strongly recommend the new SE Linux.
>
> The selinux-default-policy came from the apt-repository mentioned above.

So how did you end up with a Makefile calling chsid?  I haven't had any script 
calling chsid for ages!

> My initial attempt to get things working was a few weeks ago, and then I
> had even more problems, that time with the Makefile not being able to
> handle the output from 'checkpolicy' (a cut -f 1 -d ' ' was needed).
> This was apparently fixed.

Yes, this should be fixed.

> >>       security:  policydb magic number 0x8 does not match expected magic
> >> number 0xf97cff8c load_policy: security_load_policy failed
> >
> >Sounds like you have new SE Linux in the kernel and old SE Linux in the
> >utilities.  Don't use the packages in woody.  Start with Brian's
> >back-ports if you want to use SE Linux in woody, but they haven't been
> >maintained for a while either.  It's best to use Debian/unstable (the
> >next version of Debian will be out soon so there seems little point in
> >starting with the old version now).
>
> Again all packages come from your repository.
>
> I'll take a look at it again later today, to see if there has been any
> new packages uploaded since my last attempt.

Show me the versions of those packages.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 02:09:08PM +0200, Magnus Therning wrote:

> On Wed, Jun 09, 2004 at 05:50:01PM +0000, Luke Kenneth Casson Leighton wrote:
> >ha ha, another debian victiiim .
> >
> >0) make sure you're really a debian/unstable (apt-get dist-upgrade?)
> 
> Done!
 
 :)

> >1) install, at your own risk of course, the 2.6.6-selinux1 kernel
> >from http://hands.com/~lkcl/selinux.
> 
> I compiled one myself. Didn't manage to google my way to any pre-built
> (also checked apt-get.org, why isn't it mentioned there?).
 
 *shrug* - never'eard'of'it is probably why!

> I seem to have succeeded in compiling the kernel properly, but I'll give
> this one a shot anyway.

 it has CONFIG_NETWORK_SECURITY and all that stuff switch on in it.
 i've uploaded the config-2.6.6-selinux1 to open.hands.com/~lkcl/selinux
 in case you want to double-check (let me know if you find any
 discrepancies - either way!)


> >2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list
> >
> >3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list
> 
> I followed the instructions in the HOWTO I found on the SF project. It
> mentions Russel Coker's repository.
 
 you got russell's message describing the status of the /newselinux
 and /walters packages, yes?

> >i ALSO recommend that you DO NOT install SE/Linux on an ext2 filesystem.
> 
> Ah, this I did do... Not too much of a problem to fix though.

 yes, you can always run tune2fs -j afterwards - that's what i did.


> >make sure you use ext3 for all partitions (well, i get away with /boot
> >as an ext2) how do i put this this is REALLY IMPORTANT there is a bug
> >somewhere in the extended attributes stuff and i got a repeatable and
> >quite seriously corrupted filesystem.
> >
> >if you really really can't get it to work let me know and i can upload
> >a set of pre-installed tar.gz'd partitions which only come to 124
> >mbytes total, there are only about 160 packages preinstalled.
> 
> Thanks!
> 
> I'll be in touch with updates :-)
 
 ack.

 btw _do_ ask because i had an incredibly frustrating couple of
 weeks before finally managing to get a working system.
 
 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 02:03:44PM +0200, Magnus Therning wrote:

> I forgot to mention the contents of my /etc/apt/sources.list:
> 
>  deb http://ftp.uk.debian.org/debian/ testing main non-free contrib
>  deb http://ftp.uk.debian.org/debian-non-US testing/non-US main contrib non-free
> 
>  deb http://ftp.uk.debian.org/debian/ unstable main non-free contrib
>  deb http://ftp.uk.debian.org/debian-non-US sid/non-US main contrib non-free
> 
>  deb http://www.coker.com.au/newselinux/ ./
> 
> This together with the following line in /etc/apt/apt.conf should give
> me a Sid system:
> 
>  APT::Default-Release "unstable";
> 
> I did a 'apt-get update' and a 'apt-get dist-upgrade' after this.
> 
> On Thu, Jun 10, 2004 at 06:17:28PM +1000, Russell Coker wrote:
> >On Thu, 10 Jun 2004 00:44, Magnus Therning <magnus-work@therning.org> wrote:
> >> Installing selinux-default-policy failed, make complains about
> >> 'chsid' not being present. These are the problems I run into when
> >> trying to complete the installation of the policies:
> >
> >Sounds like you have old SE Linux, that is ancient and no longer being
> >supported.  It is only supported to kernel 2.4.21 upstream and 2.4.22
> >on my web site (in the section that is no longer maintained).  I
> >strongly recommend the new SE Linux.
> 
> The selinux-default-policy came from the apt-repository mentioned above.
 
 ah, there _isn't_ one in newselinux, you mean the one from
 ftp.uk.debian.org.

 check that you have 1.12-1

 tell y'what, here's a list of packages i have installed:

 sez:/boot# dpkg -l | grep selinux
 ii  bsdutils       2.11z-4.selinu Basic utilities from 4.4BSD-Lite
 ii  fileutils      5.0-4.selinux. The GNU file management utilities (transitio
 ii  kernel-image-2 selinux.1.0    Linux kernel binary image for version 2.6.6-
 ii  libpam-doc     0.76-13.selinu Documentation of PAM
 ii  libselinux1    1.12-1         SELinux shared libraries
 ii  libselinux1-de 1.12-1         SELinux development headers
 ii  mount          2.11z-4.selinu Tools for mounting and manipulating filesyst
 ii  psmisc         21.3-1.selinux Utilities that use the proc filesystem
 ii  selinux-policy 1.12-1         Policy config files and management for NSA S
 ii  selinux-utils  1.12-1         SELinux utility programs
 ii  shellutils     5.0-4.selinux. The GNU shell programming utilities (transit
 ii  textutils      5.0-4.selinux. The GNU text file processing utilities (tran
 ii  util-linux     2.11z-4.selinu Miscellaneous system utilities
 ii  util-linux-loc 2.11z-4.selinu Locales files for util-linux

 sez:/boot# dpkg -l | grep se1    
 ii  cron           3.0pl1-83.se1  management of regular background processing
 ii  dpkg           1.10.21-se1    Package maintenance system for Debian
 ii  initscripts    2.85-15.se1    Standard scripts needed for booting and shut
 ii  logrotate      3.7-1.se1      Log rotation utility
 ii  sysv-rc        2.85-15.se1    Standard boot mechanism using symlinks in /e
 ii  sysvinit       2.85-15.se1    System-V like init

sez:/boot# dpkg -l | grep se5
ii  libpam-modules 0.77-0.se5     Pluggable Authentication Modules for PAM
ii  libpam-runtime 0.77-0.se5     Runtime support for the PAM library
ii  libpam0g       0.77-0.se5     Pluggable Authentication Modules library
ii  libpam0g-dev   0.77-0.se5     Development files for PAM

 
 and that happy lot seems to do it for me.  some of those are from
 selinux.lemuria.org/walters but as russell says these are older
 packages so may cause conflicts with an unstable system (unless you
 put them on "hold"?)

 .


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 06:13:12PM +1000, Russell Coker wrote:
> On Thu, 10 Jun 2004 03:50, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > 2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list
> >
> > 3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list
> 
> Colin has not been working on his for quite some time.  Why would you want to 
> use a repository with old versions that is not being maintained instead of a 
> repository that is actively maintained with the latest versions?
 
 uhm... i don't know?   it seemed like a good idea?  i couldn't do
 mount (even as sysadm_t) of nfs filesystems and such-like, and
 went,
 
 "argh, what random thing can i try that might have a possible
 chance of working, hm, let's try installing one of those
 old walters packages, yeh, that sounds like a long-shot, hm,
 that broke, let's try something else, oh _that_ one works,
 okay, it ain't broke now, so leave it alone!"

 not that i would recommend to anyone _else_ to try this kind
 of approach unless you have a lot of time on your hands *lol* :)


> > 4) DO install the (probably downgraded) cron, logrotate, coreutils etc.
> >    from /walters
> 
> Why not install the latest versions of cron, logrotate, coreutils etc from my 
> repository which requires no special effort as they are a minor sub-version 
> greater than the versions in Debian/unstable?

 i have those, and then for certain things that were missing (and/or
 broke for me), i just ended up adding _some_ of the walters ones.


> > 5) use the 1.12 .debs for libselinux1 and selinux-policy-default
> >    and selinux-utils policycoreutils etc. they are the latest and they
> >    ARE in [ftp/http].*.debian.org
> 
> They are also only tested with the latest versions of the packages from my 
> site, not from the /walters repository.

 i understand.


> > 6) once you have installed the 1.12 selinux-policy-default and stuff,
> >    YOU MUST go to http://sf.net/projects/selinux and download a
> >    replacement genhomedircon from the
> >    selinux-usr/policycoreutils//scripts/ directory.
> >
> >    the version presently released is brain-dead and does something
> >    different and unexpected.
> 
> I've uploaded a new policycoreutils package that fixes this, along with a new 
> policy source package to match.
 
 oo! great.
 
 i'm tempted to try that, i really am, but i am close to having
 something "that works for me", now, and am reluctant to do
 anything that would a) mean more work/testing b) break what
 i have.

 hm, maybe i will take a hard-drive snapshot and continue from there.

 l.

-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Fri, 11 Jun 2004 07:54, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > The selinux-default-policy came from the apt-repository mentioned above.
>
>  ah, there _isn't_ one in newselinux, you mean the one from
>  ftp.uk.debian.org.

Or whichever Debian mirror is most convenient.

>  check that you have 1.12-1

1.12-2 has been out for a while, and yesterday I uploaded 1.12-3 which fixes 
some issues discussed in this thread.

>  tell y'what, here's a list of packages i have installed:
>
>  sez:/boot# dpkg -l | grep selinux
>  ii  bsdutils       2.11z-4.selinu Basic utilities from 4.4BSD-Lite

Why do you need a patched bsdutils?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Fri, Jun 11, 2004 at 02:13:40PM +1000, Russell Coker wrote:
> On Fri, 11 Jun 2004 07:54, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > The selinux-default-policy came from the apt-repository mentioned above.
> >
> >  ah, there _isn't_ one in newselinux, you mean the one from
> >  ftp.uk.debian.org.
> 
> Or whichever Debian mirror is most convenient.
> 
> >  check that you have 1.12-1
> 
> 1.12-2 has been out for a while, and yesterday I uploaded 1.12-3 which fixes 
> some issues discussed in this thread.
 
 great!

> >  tell y'what, here's a list of packages i have installed:
> >
> >  sez:/boot# dpkg -l | grep selinux
> >  ii  bsdutils       2.11z-4.selinu Basic utilities from 4.4BSD-Lite
> 
> Why do you need a patched bsdutils?

 uhm, i don't, as i said it was part of my desperation "try it and
 see" policy two weeks ago and hey, it seems to work, so it ain't
 broke os i'm leaving it there unless you believe that i really
 shouldn't?

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Fri, Jun 11, 2004 at 02:13:40PM +1000, Russell Coker wrote:
> 1.12-2 has been out for a while, and yesterday I uploaded 1.12-3 which fixes 
> some issues discussed in this thread.

Speaking of which, I'm trying to install this version (new install) on
one of my Debian sid systems.  It gets through all of the interactive
policy prompting OK, but then croaks with the following messages:

   /usr/bin/checkpolicy:  loading policy configuration from policy.conf
   domains/user.te:42:ERROR 'unknown type user_xserver_tmp_t' at token ';' on line 21459:
   #line 42
   allow user_uml_t user_xserver_tmp_t:sock_file { write };
   /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
   make: *** [/etc/security/selinux/policy.17] Error 1

Any idea what I need to fix here?  I've tried to sort it out myself,
but am still finding it somewhat difficult to follow...

Thanx!

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Sat, 12 Jun 2004 06:40, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > Why do you need a patched bsdutils?
>
>  uhm, i don't, as i said it was part of my desperation "try it and
>  see" policy two weeks ago and hey, it seems to work, so it ain't
>  broke os i'm leaving it there unless you believe that i really
>  shouldn't?

Did you compile it or did someone else?  Where did the patch come from?

I would like to know what this bsdutils patch does...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Sat, Jun 12, 2004 at 12:11:32PM +1000, Russell Coker wrote:
> On Sat, 12 Jun 2004 06:40, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > Why do you need a patched bsdutils?
> >
> > ?uhm, i don't, as i said it was part of my desperation "try it and
> > ?see" policy two weeks ago and hey, it seems to work, so it ain't
> > ?broke os i'm leaving it there unless you believe that i really
> > ?shouldn't?
> 
> Did you compile it or did someone else?  

 i got it from walter's repository
 (lemuria.selinux.org/walters)
 
> Where did the patch come from?
> 
> I would like to know what this bsdutils patch does...
 
 i don't know, but look at http://www.nsa.gov/selinux, look
 for the downloads directory.

 also consider looking at russell's sf.net/projects/selinux
 cvs repository, search for the directory patches i think
 in selinux-usr.

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Sat, Jun 12, 2004 at 12:11:32PM +1000, Russell Coker wrote:
> On Sat, 12 Jun 2004 06:40, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > Why do you need a patched bsdutils?
> >
> > ?uhm, i don't, as i said it was part of my desperation "try it and
> > ?see" policy two weeks ago and hey, it seems to work, so it ain't
> > ?broke os i'm leaving it there unless you believe that i really
> > ?shouldn't?
> 
> Did you compile it or did someone else?  Where did the patch come from?
> 
> I would like to know what this bsdutils patch does...
 
 SORRY russell i replied without looking at who you were, i thought
 you were the other guy who originated this thread :)
 
 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Sat, 12 Jun 2004 09:26, Greg Norris <haphazard@kc.rr.com> wrote:
> Speaking of which, I'm trying to install this version (new install) on
> one of my Debian sid systems.  It gets through all of the interactive
> policy prompting OK, but then croaks with the following messages:
>
>    /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>    domains/user.te:42:ERROR 'unknown type user_xserver_tmp_t' at token ';'
> on line 21459: #line 42
>    allow user_uml_t user_xserver_tmp_t:sock_file { write };
>    /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
>    make: *** [/etc/security/selinux/policy.17] Error 1

What version of the policy package?  I think I've fixed that in recent 
versions...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sat, Jun 12, 2004 at 06:19:57PM +1000, Russell Coker wrote:
> What version of the policy package?  I think I've fixed that in recent 
> versions...

adric@sasami[~]$ dpkg -l selinux-policy-default | tail -1
iF  selinux-policy 1.12-3         Policy config files and management for NSA S

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Sun, 13 Jun 2004 00:37, Greg Norris <haphazard@kc.rr.com> wrote:
> On Sat, Jun 12, 2004 at 06:19:57PM +1000, Russell Coker wrote:
> > What version of the policy package?  I think I've fixed that in recent
> > versions...
>
> adric@sasami[~]$ dpkg -l selinux-policy-default | tail -1
> iF  selinux-policy 1.12-3         Policy config files and management for

When you upgraded the policy and you were asked for replacing policy files, 
did you say "Ignore" or "Always ignore" to the new files?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sun, Jun 13, 2004 at 10:29:35AM +1000, Russell Coker wrote:
> On Sun, 13 Jun 2004 00:37, Greg Norris <haphazard@kc.rr.com> wrote:
> > adric@sasami[~]$ dpkg -l selinux-policy-default | tail -1
> > iF  selinux-policy 1.12-3         Policy config files and management for
> 
> When you upgraded the policy and you were asked for replacing policy files, 
> did you say "Ignore" or "Always ignore" to the new files?

Neither... this was my original install, so I wasn't replacing any
existing policies.  I just selected the policies which seemed relevant,

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Sat, Jun 12, 2004 at 08:28:52PM -0500, Greg Norris wrote:
> On Sun, Jun 13, 2004 at 10:29:35AM +1000, Russell Coker wrote:
> > On Sun, 13 Jun 2004 00:37, Greg Norris <haphazard@kc.rr.com> wrote:
> > > adric@sasami[~]$ dpkg -l selinux-policy-default | tail -1
> > > iF  selinux-policy 1.12-3         Policy config files and management for
> > 
> > When you upgraded the policy and you were asked for replacing policy files, 
> > did you say "Ignore" or "Always ignore" to the new files?
> 
> Neither... this was my original install, so I wasn't replacing any
> existing policies.  I just selected the policies which seemed relevant,

if i was you i would, as i said, delete the original install and
use russell's 1.12-3 policy.

when the 1.12-1 was released that was the only way that i managed
to get something going that i could work with.

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sun, Jun 13, 2004 at 07:54:27AM +0000, Luke Kenneth Casson Leighton wrote:
> if i was you i would, as i said, delete the original install and
> use russell's 1.12-3 policy.

That's the exact version I'm using already... this was a new
installation, and 1.12-3 had already hit the archive by the time I
first attempted it.

I did try purging and re-installing last night, but that didn't seem to
change anything.  I'll go ahead and give it another shot, in case I
overlooked some cleanup.  Do you know if anything other than
/etc/selinux and /usr/share/selinux/policy needs to be removed
manually?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sun, Jun 13, 2004 at 10:40:33AM -0500, Greg Norris wrote:
> I did try purging and re-installing last night, but that didn't seem to
> change anything.  I'll go ahead and give it another shot, in case I
> overlooked some cleanup.  Do you know if anything other than
> /etc/selinux and /usr/share/selinux/policy needs to be removed
> manually?

It doesn't seem to have made any significant difference...

   Installing the new SE Linux policy
   /usr/bin/checkpolicy:  loading policy configuration from policy.conf
   domains/admin.te:19:ERROR 'unknown type sysadm_chkpwd_t' at token ';' on line 11746:
   allow sysadm_su_t sysadm_chkpwd_t:process transition;
   #line 19
   /usr/bin/checkpolicy:  error(s) encountered while parsing configuration

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Sun, Jun 13, 2004 at 10:40:33AM -0500, Greg Norris wrote:
> On Sun, Jun 13, 2004 at 07:54:27AM +0000, Luke Kenneth Casson Leighton wrote:
> > if i was you i would, as i said, delete the original install and
> > use russell's 1.12-3 policy.
> 
> That's the exact version I'm using already... this was a new
> installation, and 1.12-3 had already hit the archive by the time I
> first attempted it.
 
 i haven't tried 1.12-3, i have 1.12-1 with several modifications / 
 nasty hacks to get things to work to the best of my limited knowledge
 at this point.

 if you're feeling brave i can send you what i have, you could
 always try putting it as /usr/share/selinux/policy/lkcl-braindead
 and then ln -s /etc/selinux to that.

 
> I did try purging and re-installing last night, but that didn't seem to
> change anything.  I'll go ahead and give it another shot, in case I
> overlooked some cleanup.  

 check /var/lib/dpkg/info/*.list for the set of files recorded.

 remember also to set things up with "enforcing=0" which is the
 default _before_ switching over to enforcing=1.

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sun, Jun 13, 2004 at 11:03:10AM -0500, Greg Norris wrote:
> It doesn't seem to have made any significant difference...
> 
>    Installing the new SE Linux policy
>    /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>    domains/admin.te:19:ERROR 'unknown type sysadm_chkpwd_t' at token ';' on line 11746:
>    allow sysadm_su_t sysadm_chkpwd_t:process transition;
>    #line 19
>    /usr/bin/checkpolicy:  error(s) encountered while parsing configuration

I case anyone else encounters this issue, I've submitted a bugreport
to the Debian bug-tracking system.  You can view it at
"http://bugs.debian.org/254219".

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Sun, Jun 13, 2004 at 06:26:22PM -0500, Greg Norris wrote:
> I case anyone else encounters this issue, I've submitted a bugreport
> to the Debian bug-tracking system.  You can view it at
> "http://bugs.debian.org/254219".

Ok, I've finally managed to get the package to install... it turns out
that I needed to include chkpwd.te and inetd.se in my policy
selections.  I'm not actually using the corresponding software for
either, but they apparently include some definitions which are needed
by other policies.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Russell Coker]

On Mon, 14 Jun 2004 13:39, Greg Norris <haphazard@kc.rr.com> wrote:
> On Sun, Jun 13, 2004 at 06:26:22PM -0500, Greg Norris wrote:
> > I case anyone else encounters this issue, I've submitted a bugreport
> > to the Debian bug-tracking system.  You can view it at
> > "http://bugs.debian.org/254219".
>
> Ok, I've finally managed to get the package to install... it turns out
> that I needed to include chkpwd.te and inetd.se in my policy
> selections.  I'm not actually using the corresponding software for
> either, but they apparently include some definitions which are needed
> by other policies.

Actually you do need chkpwd.te, the current SE Linux policy will not allow 
programs to authenticate against /etc/shadow unless you have chkpwd.te 
installed.

I have to change selinux-policy-default to not allow you to deselect 
chkpwd.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Greg Norris]

On Mon, Jun 14, 2004 at 09:38:23PM +1000, Russell Coker wrote:
> Actually you do need chkpwd.te, the current SE Linux policy will not allow 
> programs to authenticate against /etc/shadow unless you have chkpwd.te 
> installed.
> 
> I have to change selinux-policy-default to not allow you to deselect 
> chkpwd.te.

OK, that makes sense.  I'm still not sure why inetd.te was required,
but I'm not hugely worried about that one.  I'll be happy to provide
additional information if you want it, of course.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux on Debian (Sid)

[Luke Kenneth Casson Leighton]

On Sun, Jun 13, 2004 at 10:39:55PM -0500, Greg Norris wrote:
> On Sun, Jun 13, 2004 at 06:26:22PM -0500, Greg Norris wrote:
> > I case anyone else encounters this issue, I've submitted a bugreport
> > to the Debian bug-tracking system.  You can view it at
> > "http://bugs.debian.org/254219".
> 
> Ok, I've finally managed to get the package to install... it turns out
> that I needed to include chkpwd.te and inetd.se in my policy
> selections.  I'm not actually using the corresponding software for
> either, but they apparently include some definitions which are needed
> by other policies.

well done :)

greg, i am curious: the debian selinux policy packages that i
installed (1.12-1) i didn't get asked any questions about policy
selections.

at least, i don't _remember_ being asked any...

what gives?

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.