Re: SELinux on Debian (Sid)

[Magnus Therning <magnus-work@therning.org>]

[-- Attachment #1: Type: text/plain, Size: 4744 bytes --]

On Wed, Jun 09, 2004 at 05:50:01PM +0000, Luke Kenneth Casson Leighton wrote:
>ha ha, another debian victiiim .
>
>0) make sure you're really a debian/unstable (apt-get dist-upgrade?)

Done!

>1) install, at your own risk of course, the 2.6.6-selinux1 kernel
>from http://hands.com/~lkcl/selinux.

I compiled one myself. Didn't manage to google my way to any pre-built
(also checked apt-get.org, why isn't it mentioned there?).

I seem to have succeeded in compiling the kernel properly, but I'll give
this one a shot anyway.

>2) DO NOT add selinux.lemuria.org/newselinux to your /etc/apt/sources.list
>
>3) DO add selinux.lemuria.org/walters to your /etc/apt/sources.list

I followed the instructions in the HOWTO I found on the SF project. It
mentions Russel Coker's repository.

>4) DO install the (probably downgraded) cron, logrotate, coreutils etc.
>   from /walters
>   
>5) use the 1.12 .debs for libselinux1 and selinux-policy-default
>   and selinux-utils policycoreutils etc. they are the latest and they
>   ARE in [ftp/http].*.debian.org
>
>6) once you have installed the 1.12 selinux-policy-default and stuff,
>   YOU MUST go to http://sf.net/projects/selinux and download a
>   replacement genhomedircon from the
>   selinux-usr/policycoreutils//scripts/ directory.
>
>   the version presently released is brain-dead and does something
>   different and unexpected.
>
>i recommend you clean out everything you can find prior to doing all
>this.
>
>i ALSO recommend that you DO NOT install SE/Linux on an ext2 filesystem.

Ah, this I did do... Not too much of a problem to fix though.

>make sure you use ext3 for all partitions (well, i get away with /boot
>as an ext2) how do i put this this is REALLY IMPORTANT there is a bug
>somewhere in the extended attributes stuff and i got a repeatable and
>quite seriously corrupted filesystem.
>
>if you really really can't get it to work let me know and i can upload
>a set of pre-installed tar.gz'd partitions which only come to 124
>mbytes total, there are only about 160 packages preinstalled.

Thanks!

I'll be in touch with updates :-)

>On Wed, Jun 09, 2004 at 04:44:04PM +0200, Magnus Therning wrote:
>> I have run into some problems with getting a Debian box up and running
>> with SELinux. Maybe someone can offer some insights?
>> 
>> Installing selinux-default-policy failed, make complains about 'chsid'
>> not being present. These are the problems I run into when trying to
>> complete the installation of the policies:
>> 
>>  1. The makefile in /etc/selinux uses 'chsid'. This is the line:
>> 
>>       chsid system_u:object_r:policy_config_t /ss_policy
>> 
>>     Apparently that tool has been replaced by 'chcon'.
>> 
>>       chcon -u system_u -r object_r -t policy_config_t /ss_policy
>> 
>>     On a standard kernel this gave the following error message:
>>       
>>       chcon: invalid security context
>> 
>>  2. The path to 'load_policy' is wrong in /etc/selinux/Makefile it now
>>     lives in /usr/sbin rather than /usr/bin. Also the variable
>>     LOADPOLICY isn't used at all, instead every reference to
>>     'load_policy' is written like this:
>> 
>>       $(BINDIR)/load_policy
>> 
>>     A little silly (-:
>> 
>>  3. 'make relabel' fails on a standard kernel:
>> 
>>       load_policy: security_load_policy failed
>> 
>>     After rebooting using my SE-kernel 'make relabel' also fails:
>> 
>>       security:  policydb magic number 0x8 does not match expected magic number 0xf97cff8c
>>       load_policy: security_load_policy failed
>> 
>> Now I am stuck :-( I simply don't know where to look for a thread to
>> pull to clean up the mess.
>> 
>> /M
>> 
>> -- 
>> Magnus Therning  mailto:therning@sourceforge.natlab.research.philips.com
>> +31-40-2745179  http://pww.innersource.philips.com/magnus/
>> OpenPGP:0x4FBB2C40
>> 
>> X-Windows: ...The art of incompetence. 
>
>
>
>-- 
>-- 
>expecting email to be received and understood is a bit like
>picking up the telephone and immediately dialing without
>checking for a dial-tone; speaking immediately without listening
>for either an answer or ring-tone; hanging up immediately and
>believing that you have actually started a conversation.
>--
><a href="http://lkcl.net">      lkcl.net      </a> <br />
><a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
>

-- 
-----------------------------------------------------------------------
Magnus Therning                 Philips Research Laboratories Eindhoven
Phone: +31 40 2745179           (OpenPGP: 0x4FBB2C40)

People who don't make mistakes make the greatest mistake of all;
they do nothing.
     -- Unknown

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]