selinux-policy-default 1.14 is missing _stacks_ of stuff

selinux-policy-default 1.14 is missing _stacks_ of stuff

[Luke Kenneth Casson Leighton]

hi there,

for some reason i decided to upgrade to 2.6.7, and then policy.17
wasn't recognised, and then i have to install 1.14 etc. and it's
all gone pear-shaped.

there appears to be quite a lot of things missing from the
debian selinux-policy-default package.

- the appconfig directory
- the targeted directory
- the strict directory.

so, i can't use run_init because targeted/contexts/initrc_context
doesn't exist.

no strict directory exists either: i notice the existence of
this directory in the rpm spec file, but not in any of the debian/
files.

all sorts of other stuff is probably going pear-shaped.

i'm going to try just copy/installing the latest selinux-usr/policy/
cvs from the sf.net site, see what happens.

nothing to lose! :)

l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Russell Coker]

On Sun, 1 Aug 2004 20:32, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> there appears to be quite a lot of things missing from the
> debian selinux-policy-default package.
>
> - the appconfig directory
> - the targeted directory
> - the strict directory.

There is no support for targeted in Debian, only strict and it has the 
directory name "." .

> so, i can't use run_init because targeted/contexts/initrc_context
> doesn't exist.

Your /etc/selinux/config file should have the following line:
SELINUXTYPE=.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Luke Kenneth Casson Leighton]

On Sun, Aug 01, 2004 at 10:54:15PM +1000, Russell Coker wrote:
> On Sun, 1 Aug 2004 20:32, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > there appears to be quite a lot of things missing from the
> > debian selinux-policy-default package.
> >
> > - the appconfig directory
> > - the targeted directory
> > - the strict directory.
> 
> There is no support for targeted in Debian, only strict and it has the 
> directory name "." .
> 
> > so, i can't use run_init because targeted/contexts/initrc_context
> > doesn't exist.
> 
> Your /etc/selinux/config file should have the following line:
> SELINUXTYPE=.
 
 ah... there isn't an /etc/selinux/config file...

 perhaps that is the cause of the problem?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Russell Coker]

On Sun, 1 Aug 2004 23:54, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > Your /etc/selinux/config file should have the following line:
> > SELINUXTYPE=.
>
>  ah... there isn't an /etc/selinux/config file...
>
>  perhaps that is the cause of the problem?

selinux-policy-default version 1.14-1 has the file, you can verify this with 
"dpkg -c".

# dpkg -c /var/cache/apt/archives/selinux-policy-default_1%3a1.14-1_all.deb |
grep /etc/selinux/config
-rw-r--r-- root/root       120 2004-07-13 19:33:09 ./etc/selinux/config

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Luke Kenneth Casson Leighton]

On Mon, Aug 02, 2004 at 12:28:28AM +1000, Russell Coker wrote:
> On Sun, 1 Aug 2004 23:54, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > Your /etc/selinux/config file should have the following line:
> > > SELINUXTYPE=.
> >
> >  ah... there isn't an /etc/selinux/config file...
> >
> >  perhaps that is the cause of the problem?
> 
> selinux-policy-default version 1.14-1 has the file, you can verify this with 
> "dpkg -c".
> 
> # dpkg -c /var/cache/apt/archives/selinux-policy-default_1%3a1.14-1_all.deb |
> grep /etc/selinux/config
> -rw-r--r-- root/root       120 2004-07-13 19:33:09 ./etc/selinux/config
 
 ..+*?  how very very odd.

 i wonder what happened.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Luke Kenneth Casson Leighton]

On Sun, Aug 01, 2004 at 10:54:15PM +1000, Russell Coker wrote:
> On Sun, 1 Aug 2004 20:32, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > there appears to be quite a lot of things missing from the
> > debian selinux-policy-default package.
> >
> > - the appconfig directory
> > - the targeted directory
> > - the strict directory.
> 
> There is no support for targeted in Debian, only strict and it has the 
> directory name "." .
> 
> > so, i can't use run_init because targeted/contexts/initrc_context
> > doesn't exist.
> 
> Your /etc/selinux/config file should have the following line:
> SELINUXTYPE=.
 
 there's no mention of SELINUXTYPE in the [sf.net cvs] Makefiles:
 remember i am in a bit of a rush so have replaced
 selinux-policy-default package with sf.net cvs.

 ... but checking the debian/* i find no mention of SELINUXTYPE.

 presumably, therefore /etc/selinux/config is something created
 by the rpm spec files?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Stephen Smalley]

On Sun, 2004-08-01 at 08:54, Russell Coker wrote:
> There is no support for targeted in Debian, only strict and it has the 
> directory name "." .
> 
> > so, i can't use run_init because targeted/contexts/initrc_context
> > doesn't exist.
> 
> Your /etc/selinux/config file should have the following line:
> SELINUXTYPE=.

What does this mean for supporting multiple policies in Debian?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Russell Coker]

On Mon, 2 Aug 2004 23:08, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Sun, 2004-08-01 at 08:54, Russell Coker wrote:
> > There is no support for targeted in Debian, only strict and it has the
> > directory name "." .
> >
> > > so, i can't use run_init because targeted/contexts/initrc_context
> > > doesn't exist.
> >
> > Your /etc/selinux/config file should have the following line:
> > SELINUXTYPE=.
>
> What does this mean for supporting multiple policies in Debian?

This means that you do it in the Debian way.  You install a package that 
supplies what you want to do.

Having two conflicting packages installed at once is not the Debian way.

Of course changing a system from one policy package to another will be 
awkward, but I think I can make it no more painful than it has to be (relabel 
and reboot).  Not that it really matters while there's only one policy 
available in Debian.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Ian Campbell]

On Mon, 2004-08-02 at 14:23, Russell Coker wrote:
> On Mon, 2 Aug 2004 23:08, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> > On Sun, 2004-08-01 at 08:54, Russell Coker wrote:
> > > There is no support for targeted in Debian, only strict and it has the
> > > directory name "." .
> > >
> > > > so, i can't use run_init because targeted/contexts/initrc_context
> > > > doesn't exist.
> > >
> > > Your /etc/selinux/config file should have the following line:
> > > SELINUXTYPE=.
> >
> > What does this mean for supporting multiple policies in Debian?
> 
> This means that you do it in the Debian way.  You install a package that 
> supplies what you want to do.
> 
> Having two conflicting packages installed at once is not the Debian way.

I appreciate that this is true for some packages, MTAs being the prime
example. But what about packages that use the alternatives system --
they do not conflict with each other even though they supply "the same
thing".

However I don't claim to know enough about SE Linux and/or Debian's
policies (although I am long-time Debian user) to say which of the two
situations is the most suitable model for SE Linux policies.

Ian.
-- 
Ian Campbell
Current Noise: Kreator - Awakening of the Gods



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: selinux-policy-default 1.14 is missing _stacks_ of stuff

[Russell Coker]

On Tue, 3 Aug 2004 01:10, Ian Campbell <ijc@hellion.org.uk> wrote:
> > This means that you do it in the Debian way.  You install a package that
> > supplies what you want to do.
> >
> > Having two conflicting packages installed at once is not the Debian way.
>
> I appreciate that this is true for some packages, MTAs being the prime
> example. But what about packages that use the alternatives system --
> they do not conflict with each other even though they supply "the same
> thing".

This is true for cases such as nvi vs vim.  You can install both nvi and vim 
on the same system, some users will prefer one and configure their account 
(by putting an alias in ~/.bash_profile or similar) for their preferred 
editor.  Some users won't really care because they use so few features that 
both nvi and vim are the same to them, they can just run "vi" and get 
whichever it's linked to.

SE Linux policy is quite different.  Turning off SE Linux enforcement, 
relabelling all file systems, rm'ing files from /tmp and /var/tmp, rebooting, 
and maybe having to unlink some temporary files that were created during the 
shutdown process is quite a serious and significant operation.

I might say to myself "hey I think I'll try a different vi today", but the 
decision to change to a different SE Linux policy is much more significant.

When someone else packages a SE Linux policy for Debian we can review this.  I 
think that I have done a decent job of planning for multiple policies over 
the last 3 years even though there has only been one policy in Debian.  ;)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.