* State of Debian SELinux
@ 2005-09-17 23:31 Dale Amon
2005-09-18 0:10 ` Jiann-Ming Su
` (2 more replies)
0 siblings, 3 replies; 20+ messages in thread
From: Dale Amon @ 2005-09-17 23:31 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2779 bytes --]
I've set aside the next week to come back to SELinux
and evaluate if it's reached the point where I could
recommmend it for customer sites.
So far Debian SELinux is looking pretty grim, and I'd
like feedback on whether there really is a straight
forward path to install it. By that I mean one with
out a lot of kludges and pain as in the long
(and already obsolete) description of the Debian
install in McCarty's O'Reilly book.
I'm starting from a freshly burned Debian stable
install iso. I do a bog standard install up to
the point where the reboot brings you into aptitude.
I've tried both forks at that point; updating first
in sarge or cancelling.
I change the sources.list to sid and add Russell's
newselinux package line; then I update and
after selecting all the appropriate packages (and
the 2.6.12 kernel) I upgrade.
Problems: One, I have to deselect cups in the
policy default because it has an error that causes
the install to fail.
But even without it no go. I assumed I had to
reboot to get the selinuxfs, so I did that. But
the boot complains about it and a manual mount /selinuxfs
claims the kernel doesn't know what it is.
I checked the config; looks like everything associated
with selinux (and with xattr's on various file systems)
is selected.
The package will still not finish installing. The
error is:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
libsepol.expand_abtab_insert: Type conflict!
Out of memory - unable to check assertions.
Check assertions failed.
I could fiddle a lot more, but that would be counter
productive: this time around I'm looking for a
reliable and straightforward install, not just
a bit of play time hacking.
Is there an up to date description of the Debian
install? McCarty's book is *way* out of date; I
could not find a current install procedure on
Russell's site, although such might be buried in
one of his many find tutorials.
Is there a current canonical 1-2-3 procedure for
going from the current debian iso to a fully
installed SELinux system? I don't mind if I have
to fiddle with policy afterwards, but I do want
the comfort of knowing I've got a reliable means
of installing and updating (or talking a customer
through it) if I am to consider using it for real.
Of course the fact that sid seems to be required
is a *huge* negative to start with...
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread* Re: State of Debian SELinux 2005-09-17 23:31 State of Debian SELinux Dale Amon @ 2005-09-18 0:10 ` Jiann-Ming Su 2005-09-18 9:47 ` Dale Amon 2005-09-18 0:15 ` Luke Kenneth Casson Leighton 2005-09-19 12:27 ` Stephen Smalley 2 siblings, 1 reply; 20+ messages in thread From: Jiann-Ming Su @ 2005-09-18 0:10 UTC (permalink / raw) To: selinux On 9/17/05, Dale Amon <amon@vnl.com> wrote: > So far Debian SELinux is looking pretty grim, and I'd > like feedback on whether there really is a straight > forward path to install it. By that I mean one with > out a lot of kludges and pain as in the long > (and already obsolete) description of the Debian > install in McCarty's O'Reilly book. > In case you haven't seen these: https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 0:10 ` Jiann-Ming Su @ 2005-09-18 9:47 ` Dale Amon 0 siblings, 0 replies; 20+ messages in thread From: Dale Amon @ 2005-09-18 9:47 UTC (permalink / raw) To: Jiann-Ming Su; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 1351 bytes --] On Sat, Sep 17, 2005 at 08:10:58PM -0400, Jiann-Ming Su wrote: > On 9/17/05, Dale Amon <amon@vnl.com> wrote: > > So far Debian SELinux is looking pretty grim, and I'd > > like feedback on whether there really is a straight > > forward path to install it. By that I mean one with > > out a lot of kludges and pain as in the long > > (and already obsolete) description of the Debian > > install in McCarty's O'Reilly book. > > > > In case you haven't seen these: > > https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 > https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 I'd forgotten about Faye's excellent writing. But it unfortuneately describes (somewhat) the process I went through, which was * install base debian * add Russ's repository to sources.list * update I shouldn't think any of the debian package mods would come into play at this point as it is prior to fs labeling that things are bombing out. -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-17 23:31 State of Debian SELinux Dale Amon 2005-09-18 0:10 ` Jiann-Ming Su @ 2005-09-18 0:15 ` Luke Kenneth Casson Leighton 2005-09-18 9:58 ` Dale Amon 2005-09-19 12:27 ` Stephen Smalley 2 siblings, 1 reply; 20+ messages in thread From: Luke Kenneth Casson Leighton @ 2005-09-18 0:15 UTC (permalink / raw) To: Dale Amon; +Cc: selinux dale, hi, i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in "unstable". it was painful, took about four to five months, and it worked. the reason why it took so long was because i set an extremely high entry requirement: a _useful_ kde system. i.e. not one where you have to run some stupid command in order to get your usb devices back, undamaged. that meant using hal, which meant using udev, which meant using shmfs which meant a kernel patch to provide xattrs. most of the stuff i did or highlighted is slowly filtering its way in, mostly post-sarge-release as that held everything up and i mean everything (libselinux was "optional" package and you cannot have coreutils - a required package depends on an "optional" package. therefore the maintainer of coreutils refused to even look at selinux patches until post-sarge.). you will NOT get sarge to work [as-is]. you WILL need libselinux1 for a start and because of the freeze some 18 months ago libselinux1 did NOT make it into sarge. manoj is the best person to speak to as he has defacto taken over coordination of the patches etc. required. you _will_ need the patched version of dpkg - the one that sets selinux file contexts on files as it unpacks them - just like rpm does. you _will_ need to add /.dev to the list of files on which selinux contexts are set, because if /.dev ever gets damaged (on the "original" filesystem before udev is mounted and the "original" /dev moved to /.dev) you WILL not be able to boot because /sbin/init relies on /dev/stuff BEFORE udev runs. basically to solve this one (properly) udev needs to be integrated into debian's initrd (just like it is in redhat's kernels) - or you simply need to run with a kernel that doesn't use an initrd (just like you do with gentoo) which means not use the standard debian kernels because of the risk of non-boot on file system corruption, mkfs.ext2 removing xattrs on /dev/*. sorry that's a bit long-winded and probably difficult to understand but i'm trying to pack stuff in quickly as i remember it - from several months ago - without time for review of what i've written. l. On Sun, Sep 18, 2005 at 12:31:11AM +0100, Dale Amon wrote: > I've set aside the next week to come back to SELinux > and evaluate if it's reached the point where I could > recommmend it for customer sites. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 0:15 ` Luke Kenneth Casson Leighton @ 2005-09-18 9:58 ` Dale Amon 2005-09-18 10:42 ` Luke Kenneth Casson Leighton 0 siblings, 1 reply; 20+ messages in thread From: Dale Amon @ 2005-09-18 9:58 UTC (permalink / raw) To: Dale Amon, selinux [-- Attachment #1: Type: text/plain, Size: 2027 bytes --] On Sun, Sep 18, 2005 at 01:15:12AM +0100, Luke Kenneth Casson Leighton wrote: > dale, hi, And hello yourself. I've been a bit scarce on this list lately. Business has been good for a change... so no playtime. :-) > i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in > "unstable". > it was painful, took about four to five months, and it worked. Ouch. Well, I'm only interested in getting it up on rack mount server class machines with no fancy workstation apps on them. Nothing but LAMP's. > you will NOT get sarge to work [as-is]. But can you start from the sarge iso and upgrade? Or should I look at whatever they have as the latest and most bleeding edge "don't look at me crosseyed or I'll fall over" sid iso? > you WILL need libselinux1 for a start and because of the freeze > some 18 months ago libselinux1 did NOT make it into sarge. I'm picking that up from Russel's repository during the upgrade and it does install okay. > you _will_ need the patched version of dpkg - the one that > sets selinux file contexts on files as it unpacks them - just > like rpm does. Yeah, but that shouldn't matter yet: the problems are in the initial upgrade to SELinux packages so the file system isn't labeled yet and the kernel is still the base debian one. > sorry that's a bit long-winded and probably difficult to > understand but i'm trying to pack stuff in quickly as i remember it - > from several months ago - without time for review of what i've written. Oh, that's fine. Many of the items you note will be time savers. Once I get the initial selinux package install to work that is... -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 9:58 ` Dale Amon @ 2005-09-18 10:42 ` Luke Kenneth Casson Leighton 2005-09-18 21:58 ` Dale Amon 0 siblings, 1 reply; 20+ messages in thread From: Luke Kenneth Casson Leighton @ 2005-09-18 10:42 UTC (permalink / raw) To: Dale Amon; +Cc: selinux On Sun, Sep 18, 2005 at 10:58:07AM +0100, Dale Amon wrote: > On Sun, Sep 18, 2005 at 01:15:12AM +0100, Luke Kenneth Casson Leighton wrote: > > dale, hi, > > And hello yourself. I've been a bit scarce on this list lately. > Business has been good for a change... so no playtime. :-) > > > i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in > > "unstable". > > it was painful, took about four to five months, and it worked. > > Ouch. Well, I'm only interested in getting it up on rack mount > server class machines with no fancy workstation apps on them. > Nothing but LAMP's. then you would do well to consider gentoo/hardened instead!! > > you will NOT get sarge to work [as-is]. > > But can you start from the sarge iso and upgrade? always. > > you WILL need libselinux1 for a start and because of the freeze > > some 18 months ago libselinux1 did NOT make it into sarge. > > I'm picking that up from Russel's repository during the upgrade > and it does install okay. look for manoj's stuff. > > you _will_ need the patched version of dpkg - the one that > > sets selinux file contexts on files as it unpacks them - just > > like rpm does. > > Yeah, but that shouldn't matter yet: the problems are in the > initial upgrade to SELinux packages so the file system isn't > labeled yet and the kernel is still the base debian one. ah, the "bootstrap" problem that i joyously encountered. i found this to be a sticking point, too. okay, you need to reboot first with ... damn it's been a while... selinux=1 enabled=0 _then_ you stand a good chance of being able to [build and] relabel. it's something to do with failures in the make process which i never got to the bottom of - probably some of the libselinux / sepol libraries detecting that selinux wasn't enabled, and not allowing the build process to proceed properly. most people only build and install selinux on already-useable selinux systems. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 10:42 ` Luke Kenneth Casson Leighton @ 2005-09-18 21:58 ` Dale Amon 2005-09-18 22:48 ` Luke Kenneth Casson Leighton 2005-09-23 18:53 ` sswami 0 siblings, 2 replies; 20+ messages in thread From: Dale Amon @ 2005-09-18 21:58 UTC (permalink / raw) To: Dale Amon, selinux [-- Attachment #1: Type: text/plain, Size: 2377 bytes --] On Sun, Sep 18, 2005 at 11:42:19AM +0100, Luke Kenneth Casson Leighton wrote: > On Sun, Sep 18, 2005 at 10:58:07AM +0100, Dale Amon wrote: > > Ouch. Well, I'm only interested in getting it up on rack mount > > server class machines with no fancy workstation apps on them. > > Nothing but LAMP's. > then you would do well to consider gentoo/hardened instead!! Not an option. The software driving the active the site was written specifically for debian and in debian packages. I'd hate to have to go back to them and say, well, you know those really neat debian packages I did last year... > > I'm picking that up from Russel's repository during the upgrade > > and it does install okay. > > look for manoj's stuff. I will, but just in case, do you have a url? > okay, you need to reboot first with ... damn it's been a while... > > selinux=1 enabled=0 Actually, its enforcing=0. And unfortuneately that doesn't help. I still get the same error messages as before. > it's something to do with failures in the make process which i never > got to the bottom of - probably some of the libselinux / sepol > libraries detecting that selinux wasn't enabled, and not allowing > the build process to proceed properly. There is definitely something I am missing with libsepol because there is an error about it which means absolutely nothing to me that causes dselect to give up on installing the default policy. It also seems to mean nothing to Google so I guess it has not come up on the mail list either: /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_avtab_insert: Type conflict! Out of memory - unable to check assertions. Check assertions failed. Highly informative, n'est-ce pas? I can reproduce it manually: cd /etc/selinux/src/ /usr/bin/checkpolicy > most people only build and install selinux on already-useable > selinux systems. *amon turns to watch a chicken racing an egg across the road... -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 21:58 ` Dale Amon @ 2005-09-18 22:48 ` Luke Kenneth Casson Leighton 2005-09-19 11:15 ` Dale Amon 2005-09-23 18:53 ` sswami 1 sibling, 1 reply; 20+ messages in thread From: Luke Kenneth Casson Leighton @ 2005-09-18 22:48 UTC (permalink / raw) To: Dale Amon; +Cc: selinux On Sun, Sep 18, 2005 at 10:58:41PM +0100, Dale Amon wrote: > > selinux=1 enabled=0 > > Actually, its enforcing=0. it's been a while :) > And unfortuneately that doesn't help. > I still get the same error messages as before. > > it's something to do with failures in the make process which i never > > got to the bottom of - probably some of the libselinux / sepol > > libraries detecting that selinux wasn't enabled, and not allowing > > the build process to proceed properly. > > There is definitely something I am missing with libsepol because > there is an error about it which means absolutely nothing to me > that causes dselect to give up on installing the default policy. dselect? ha! dselect is for wimps. okay. describe _exactly_ where you got everything from - what the packages are, etc. how you did the install (you _should_ ideally be messin with the latest linux2.6 nsa source code - kernel, library, etc. but hey if you have found dpkg packages that's cool). send all info to list. then hopefully someone will know what's up. i've no real pressing need to install debian/selinux right now (as i did last year) otherwise i would try / see what happens. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 22:48 ` Luke Kenneth Casson Leighton @ 2005-09-19 11:15 ` Dale Amon 2005-09-19 11:56 ` Luke Kenneth Casson Leighton 0 siblings, 1 reply; 20+ messages in thread From: Dale Amon @ 2005-09-19 11:15 UTC (permalink / raw) To: Dale Amon, selinux [-- Attachment #1: Type: text/plain, Size: 33213 bytes --] On Sun, Sep 18, 2005 at 11:48:50PM +0100, Luke Kenneth Casson Leighton wrote: > On Sun, Sep 18, 2005 at 10:58:41PM +0100, Dale Amon wrote: > > > > selinux=1 enabled=0 > > > > Actually, its enforcing=0. > > it's been a while :) > > > And unfortuneately that doesn't help. > > I still get the same error messages as before. > > > > > it's something to do with failures in the make process which i never > > > got to the bottom of - probably some of the libselinux / sepol > > > libraries detecting that selinux wasn't enabled, and not allowing > > > the build process to proceed properly. > > > > There is definitely something I am missing with libsepol because > > there is an error about it which means absolutely nothing to me > > that causes dselect to give up on installing the default policy. > > dselect? ha! dselect is for wimps. > > okay. > > describe _exactly_ where you got everything from - what the packages > are, etc. how you did the install (you _should_ ideally be messin with > the latest linux2.6 nsa source code - kernel, library, etc. but hey if > you have found dpkg packages that's cool). > > send all info to list. Okay, you asked for it. First, a fresh install from Debian the 31r0a sarge i386 net install CD. Take the defaults on pretty much everything except hostname and partitions. I picked the workstation 3 partition option. After the reboot, I have tried both doing the immediate update in aptitude for sarge, or bogging out and editing the sources.list first. The sources.list file is: #deb file:///cdrom/ sarge main deb http://ftp.ie.debian.org/debian/ sid main deb-src http://ftp.ie.debian.org/debian/ sid main deb http://www.coker.com.au/newselinux ./ deb http://security.debian.org/ stable/updates main Then I either apt-get update and upgrade or do the same in dselect, depending on mood. Result is the same, the error I described previously. The set of packages installed at the moment is: Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==================================-=====================-============================================ ii adduser 3.67.0 Add and remove users and groups ii amd64-libs 1.2 Amd64 shared libraries for use on i386/x86_6 ii apt 0.6.41 Advanced front-end for dpkg ii apt-utils 0.6.41 APT utility programs ii aptitude 0.2.15.9-6 terminal-based apt frontend ii at 3.1.9 Delayed job execution and batch processing ii base-config 2.71 Debian base system configurator ii base-files 3.1.7 Debian base system miscellaneous files ii base-passwd 3.5.10 Debian base system master password and group ii bash 3.0-16 The GNU Bourne Again SHell ii bc 1.06-17 The GNU bc arbitrary precision calculator la ii bin86 0.16.14-1.2 16-bit x86 assembler and loader ii bind9-host 9.3.1-2 Version of 'host' bundled with BIND 9.X ii binutils 2.16.1cvs20050902-1 The GNU assembler, linker and binary utiliti ii bison 2.0-2 A parser generator that is compatible with Y ii bsdmainutils 6.1.2 collection of more utilities from FreeBSD ii bsdutils 2.12p-7 Basic utilities from 4.4BSD-Lite ii bwidget 1.7.0-1 A set of extension widgets for Tcl/Tk ii bzip2 1.0.2-8.1 high-quality block-sorting file compressor - ii checkpolicy 1.26-1 SELinux policy compiler ii console-common 0.7.53 Basic infrastructure for text console config ii console-data 2002.12.04dbs-49 Keymaps, fonts, charset maps, fallback table ii console-tools 0.2.3dbs-56 Linux console and font utilities ii coreutils 5.2.1-2.1 The GNU core utilities ii cpio 2.6-5 GNU cpio -- a program to manage archives of ii cpp 4.0.1-3 The GNU C preprocessor (cpp) ii cpp-4.0 4.0.1-7 The GNU C preprocessor ii cramfsprogs 1.1-6 Tools for CramFs (Compressed ROM File System ii cron 3.0pl1-91 management of regular background processing ii dash 0.5.2-7 The Debian Almquist Shell ii dc 1.06-17 The GNU dc arbitrary precision reverse-polis ii debconf 1.4.58 Debian configuration management system ii debconf-i18n 1.4.58 full internationalization support for debcon ii debconf-utils 1.4.58 debconf utilities ii debianutils 2.14.3 Miscellaneous utilities specific to Debian ii defoma 0.11.8-0.1 Debian Font Manager -- automatic font config ii dhcp-client 2.0pl5-19.1 DHCP Client ii dictionaries-common 0.50.4 Common utilities for spelling dictionary too ii diff 2.8.1-11 File comparison utilities ii discover1 1.7.13 hardware identification system ii discover1-data 1.2005.07.31 hardware lists for libdiscover1 ii dmidecode 2.7-2 Dump Desktop Management Interface data ii dnsutils 9.3.1-2 Clients provided with BIND ii doc-debian 3.1.2 Debian Project documentation, Debian FAQ and ii doc-linux-text 2005.09-1 Linux HOWTOs and FAQs in ASCII format ii dpkg 1.13.11 package maintenance system for Debian ii dpkg-dev 1.13.11 package building tools for Debian ii dselect 1.13.11 user tool to manage Debian packages ii e2fslibs 1.38-2 ext2 filesystem libraries ii e2fsprogs 1.38-2 ext2 file system utilities and libraries ii ed 0.2-20 The classic unix line editor ii eject 2.0.13deb-15 ejects CDs and operates CD-Changers under Li ii exim4 4.52-2 metapackage to ease exim MTA (v4) installati ii exim4-base 4.52-2 support files for all exim MTA (v4) packages ii exim4-config 4.52-2 configuration for the exim MTA (v4) ii exim4-daemon-light 4.52-2 lightweight exim MTA (v4) daemon ii fdutils 5.5-20050303-1 Linux floppy utilities ii file 4.12-1 Determines file type using "magic" numbers ii findutils 4.2.25-1 utilities for finding files--find, xargs, an ii finger 0.17-8 user information lookup program ii flex 2.5.31-34 A fast lexical analyzer generator. ii fontconfig 2.3.2-1 generic font configuration library ii ftp 0.17-13 The FTP client ii g++ 4.0.1-3 The GNU C++ compiler ii g++-4.0 4.0.1-7 The GNU C++ compiler ii gcc 4.0.1-3 The GNU C compiler ii gcc-3.3-base 3.3.6-10 The GNU Compiler Collection (base package) ii gcc-4.0 4.0.1-7 The GNU C compiler ii gcc-4.0-base 4.0.1-7 The GNU Compiler Collection (base package) ii gdb 6.3-6 The GNU Debugger ii gettext-base 0.14.5-2 GNU Internationalization utilities for the b ii gnu-efi 3.0a-4 Library for developing EFI applications ii gnupg 1.4.1-1 GNU privacy guard - a free PGP replacement ii grep 2.5.1.ds1-6 GNU grep, egrep and fgrep ii groff-base 1.18.1.1-10 GNU troff text-formatting system (base syste ii grub 0.95+cvs20040624-17 GRand Unified Bootloader ii gzip 1.3.5-12 The GNU compression utility ii hicolor-icon-theme 0.8-3 default fallback theme for FreeDesktop.org i ii hostname 2.91 utility to set/show the host name or domain ii hotplug 0.0.20040329-25 Linux Hotplug Scripts ii iamerican 3.1.20.0-4 An American English dictionary for ispell ii ibritish 3.1.20.0-4 A British English dictionary for ispell ii ifupdown 0.6.7 high level tools to configure network interf ii info 4.7-2.2 Standalone GNU Info documentation browser ii initrd-tools 0.1.82 tools to create initrd image for prepackaged ii initscripts 2.86.ds1-2 Standard scripts needed for booting and shut ii ipchains 1.3.10-16 Network firewalling for Linux 2.2.x ii iptables 1.3.3-2 Linux kernel 2.4+ iptables administration to ii iputils-ping 20020927-2 Tools to test the reachability of network ho ii ispell 3.1.20.0-4 International Ispell (an interactive spellin ii kernel-doc-2.6.8 2.6.8-16 Linux kernel specific documentation for vers ii kernel-image-2.4.27-2-386 2.4.27-11 Linux kernel image for version 2.4.27 on 386 ii kernel-pcmcia-modules-2.4.27-2-386 2.4.27-11 Mainstream PCMCIA modules 2.4.27 on 386 ii kernel-source-2.6.8 2.6.8-16 Linux kernel source for version 2.6.8 with D ii klogd 1.4.1-17 Kernel Logging Daemon ii laptop-detect 0.12.1 attempt to detect a laptop ii less 382-2 Pager program similar to more ii lib64gcc1 4.0.1-7 GCC support library (64bit) ii lib64stdc++6 4.0.1-7 The GNU Standard C++ Library v3 (64bit) ii libacl1 2.2.29-1.0.1 Access control list shared library ii libatk1.0-0 1.10.3-1 The ATK accessibility toolkit ii libatk1.0-data 1.10.3-1 Common files for the ATK accessibility toolk ii libattr1 2.4.21-1.0.1 Extended attribute shared library ii libbind9-0 9.3.1-2 BIND9 Shared Library used by BIND ii libblkid1 1.38-2 block device id library ii libbz2-1.0 1.0.2-8.1 high-quality block-sorting file compressor l ii libc6 2.3.5-6 GNU C Library: Shared libraries and Timezone ii libc6-dev 2.3.5-6 GNU C Library: Development Libraries and Hea ii libcap1 1.10-14 support for getting/setting POSIX.1e capabil ii libcomerr2 1.38-2 common error description library ii libconsole 0.2.3dbs-56 Shared libraries for Linux console and font ii libdb1-compat 2.1.3-8 The Berkeley database routines [glibc 2.0/2. ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [runtime] ii libdb4.2 4.2.52-19 Berkeley v4.2 Database Libraries [runtime] ii libdb4.3 4.3.28-3 Berkeley v4.3 Database Libraries [runtime] ii libdiscover1 1.7.13 hardware identification library ii libdns20 9.3.1-2 DNS Shared Library used by BIND ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries ii libevent1 1.1a-1 An asynchronous event notification library ii libexpat1 1.95.8-3 XML parsing C library - runtime library ii libfontconfig1 2.3.2-1 generic font configuration library (shared l ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared library files ii libfs6 6.8.2.dfsg.1-7 X Font Server library ii libft-perl 1.2-15 Perl module for the FreeType library ii libgc1c2 6.5-1 conservative garbage collector for C and C++ ii libgcc1 4.0.1-7 GCC support library ii libgcrypt11 1.2.1-4 LGPL Crypto library - runtime library ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime version) ii libglade2-0 2.5.1-2 library to load .glade files at runtime ii libglib2.0-0 2.8.0-1 The GLib library of C routines ii libglib2.0-data 2.8.0-1 Common files for GLib library ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library ii libgnutls12 1.2.6-1 the GNU TLS library - runtime library ii libgpg-error0 1.1-4 library for common error values and messages ii libgpmg1 1.19.6-21 General Purpose Mouse - shared library ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface library ii libgtk2.0-bin 2.6.10-1 The programs for the GTK+ graphical user int ii libgtk2.0-common 2.6.10-1 Common files for the GTK+ graphical user int ii libice6 6.8.2.dfsg.1-7 Inter-Client Exchange library ii libident 0.22-3 simple RFC1413 client library - runtime ii libidn11 0.5.18-1 GNU libidn library, implementation of IETF I ii libisc9 9.3.1-2 ISC Shared Library used by BIND ii libisccc0 9.3.1-2 Command Channel Library used by BIND ii libisccfg1 9.3.1-2 Config File Handling Library used by BIND ii libjpeg62 6b-10 The Independent JPEG Group's JPEG runtime li ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries ii libldap-2.2-7 2.2.26-4 OpenLDAP libraries ii libldap2 2.1.30-11 OpenLDAP libraries ii liblocale-gettext-perl 1.05-1 Using libc functions for internationalizatio ii liblockfile1 1.06 NFS-safe locking library, includes dotlockfi ii liblwres1 9.3.1-2 Lightweight Resolver Library used by BIND ii liblzo1 1.08-2 data compression library ii libmagic1 4.12-1 File type determination library using "magic ii libncurses5 5.4-9 Shared libraries for terminal handling ii libncurses5-dev 5.4-9 Developer's libraries and docs for ncurses ii libncursesw5 5.4-9 Shared libraries for terminal handling (wide ii libnewt0.51 0.51.6-31 Not Erik's Windowing Toolkit - text mode win ii libnfsidmap1 0.8-1 An nfs idmapping library ii libnss-db 2.2.3pre1-1 NSS module for using Berkeley Databases as a ii libopencdk8 0.5.7-2 Open Crypto Development Kit (OpenCDK) (runti ii libpam-modules 0.77-0.se5 Pluggable Authentication Modules for PAM ii libpam-runtime 0.77-0.se5 Runtime support for the PAM library ii libpam0g 0.77-0.se5 Pluggable Authentication Modules library ii libpango1.0-0 1.8.2-2 Layout and rendering of internationalized te ii libpango1.0-common 1.8.2-2 Modules and configuration files for the Pang ii libpcap0.7 0.7.2-7 System interface for user-level packet captu ii libpcre3 6.3-1 Perl 5 Compatible Regular Expression Library ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libreadline4 4.3-16 GNU readline and history libraries, run-time ii libreadline5 5.0-11 GNU readline and history libraries, run-time ii libsasl2 2.1.19-1.6 Authentication abstraction library ii libselinux1 1.26-1 SELinux shared libraries ii libselinux1-dev 1.26-1 SELinux development headers ii libsepol1 1.8-1 Security Enhanced Linux policy library for c ii libsepol1-dev 1.8-1 Security Enhanced Linux policy library and d rc libsigc++-1.2-5c102 1.2.5-4 type-safe Signal Framework for C++ - runtime ii libsigc++-1.2-5c2 1.2.5-5 type-safe Signal Framework for C++ - runtime ii libslang2 2.0.4-5 The S-Lang programming library - runtime ver ii libsm6 6.8.2.dfsg.1-7 X Window System Session Management library ii libss2 1.38-2 command-line interface parsing library ii libssl0.9.7 0.9.7g-2 SSL shared libraries ii libstdc++5 3.3.6-10 The GNU Standard C++ Library v3 ii libstdc++6 4.0.1-7 The GNU Standard C++ Library v3 ii libstdc++6-4.0-dev 4.0.1-7 The GNU Standard C++ Library v3 (development ii libtasn1-2 0.2.13-1 Manage ASN.1 structures (runtime) ii libtext-charwidth-perl 0.04-2 get display widths of characters on the term ii libtext-iconv-perl 1.4-1 converts between character sets in Perl ii libtext-wrapi18n-perl 0.06-2 internationalized substitute of Text::Wrap ii libtextwrap1 0.1-3 text-wrapping library with i18n - runtime ii libtiff4 3.7.3-1 Tag Image File Format (TIFF) library ii libttf2 1.4pre.20030402-1.1 FreeType 1, The FREE TrueType Font Engine, s ii libusb-0.1-4 0.1.10a-21 userspace USB programming library ii libuuid1 1.38-2 universally unique id library ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers library ii libx11-6 6.8.2.dfsg.1-7 X Window System protocol client library ii libxaw8 6.8.2.dfsg.1-7 X Athena widget set library ii libxcursor1 1.1.3-1 X cursor management library ii libxext6 6.8.2.dfsg.1-7 X Window System miscellaneous extension libr ii libxft2 2.1.7-1 FreeType-based font drawing library for X ii libxi6 6.8.2.dfsg.1-7 X Window System Input extension library ii libxinerama1 6.8.2.dfsg.1-7 X Window System multi-head display library ii libxml2 2.6.22-1 GNOME XML library ii libxmu6 6.8.2.dfsg.1-7 X Window System miscellaneous utility librar ii libxp6 6.8.2.dfsg.1-7 X Window System printing extension library ii libxpm4 6.8.2.dfsg.1-7 X pixmap library ii libxrandr2 6.8.2.dfsg.1-7 X Window System Resize, Rotate and Reflectio ii libxrender1 0.9.0-2 X Rendering Extension client library ii libxt6 6.8.2.dfsg.1-7 X Toolkit Intrinsics ii linux-doc-2.6.12 2.6.12-6 Linux kernel specific documentation for vers ii linux-image-2.6-686 2.6.12-6 Linux kernel 2.6 image on PPro/Celeron/PII/P ii linux-image-2.6.12-1-686 2.6.12-6 Linux kernel 2.6.12 image on PPro/Celeron/PI ii linux-image-686 2.6.12-6 Linux kernel image on PPro/Celeron/PII/PIII/ ii linux-kernel-headers 2.6.13+0rc3-1.1 Linux Kernel Headers for development ii linux-source-2.6.12 2.6.12-6 Linux kernel source for version 2.6.12 with ii locales 2.3.5-6 GNU C Library: National Language (locale) da ii login 4.0.3-39 system login tools ii logrotate 3.7.1-2 Log rotation utility ii lpr 2005.05.01 BSD lpr/lpd line printer spooling system ii lsb-base 3.0-6 Linux Standard Base 3.0 init script function ii lsof 4.76.dfsg.1-1 List open files. ii m4 1.4.3-2 a macro processing language ii mailx 8.1.2-0.20050715cvs-1 A simple mail user agent ii make 3.80-11 The GNU version of the "make" utility. ii makedev 2.3.1-78 creates device files in /dev ii man-db 2.4.3-2 The on-line manual pager ii manpages 2.02-2 Manual pages about using a GNU/Linux system ii manpages-dev 2.02-2 Manual pages about using GNU/Linux for devel ii mawk 1.3.3-11 a pattern scanning and text processing langu ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap', and sup ii module-init-tools 3.2-pre8-1 tools for managing Linux kernel modules ii modutils 2.4.27.0-3 Linux module utilities ii mount 2.12p-7 Tools for mounting and manipulating filesyst ii mpack 1.6-1.1 tools for encoding/decoding MIME messages ii mtools 3.9.9-2.1 Tools for manipulating MSDOS files ii mtr-tiny 0.69-2 Full screen ncurses traceroute tool ii mutt 1.5.10-1 Text-based mailreader supporting MIME, GPG, ii nano 1.3.8-2 free Pico clone with some new features ii ncurses-base 5.4-9 Descriptions of common terminal types ii ncurses-bin 5.4-9 Terminal-related programs and man pages ii ncurses-term 5.4-9 Additional terminal type definitions ii net-tools 1.60-15 The NET-3 networking toolkit ii netbase 4.21 Basic TCP/IP networking system ii netcat 1.10-27 TCP/IP swiss army knife ii netkit-inetd 0.10-10.2 The Internet Superserver ii nfs-common 1.0.7-3 NFS support files common to client and serve ii nvi 1.79-22 4.4BSD re-implementation of vi ii openssh-client 4.2p1-4 Secure shell client, an rlogin/rsh/rcp repla ii passwd 4.0.3-39 change and administer password and group dat ii patch 2.5.9-2 Apply a diff file to an original ii pciutils 2.1.11-15.1 Linux PCI Utilities ii pcmcia-cs 3.2.8-5 PCMCIA Card Services for Linux ii perl 5.8.7-5 Larry Wall's Practical Extraction and Report ii perl-base 5.8.7-5 The Pathologically Eclectic Rubbish Lister ii perl-modules 5.8.7-5 Core Perl modules ii pidentd 3.0.18-3 TCP/IP IDENT protocol server with DES suppor ii policycoreutils 1.26-1 SELinux core policy utilities ii portmap 5-15 The RPC portmapper ii ppp 2.4.3-20050321+2 Point-to-Point Protocol (PPP) daemon ii pppconfig 2.3.11 A text menu based utility for configuring pp ii pppoe 3.5-4 PPP over Ethernet driver ii pppoeconf 1.7 configures PPPoE/ADSL connections ii procmail 3.22-11 Versatile e-mail processor ii procps 3.2.5-1 /proc file system utilities ii psmisc 21.6-1 Utilities that use the proc filesystem ii python 2.3.5-3 An interactive high-level object-oriented la ii python-newt 0.51.6-31 A NEWT module for Python ii python2.3 2.3.5-8 An interactive high-level object-oriented la ii readline-common 5.0-11 GNU readline and history libraries, common f ii reportbug 3.17 reports bugs in the Debian distribution ii sed 4.1.4-4 The GNU sed stream editor ii selinux-doc 1.22-1 documentation for Security-Enhanced Linux iF selinux-policy-default 1.18-1 Policy config files and management for NSA S ii selinux-utils 1.26-1 SELinux utility programs ii setools 2.1.2-1 Tresys tools for managing SE Linux ii sgml-base 1.26 SGML infrastructure and SGML catalog file su ii sharutils 4.2.1-15 shar, unshar, uuencode, uudecode ii slang1a-utf8 1.4.9dbs-8 The S-Lang programming library with utf8 sup ii strace 4.5.12-1 A system call tracer ii sysklogd 1.4.1-17 System Logging Daemon ii sysv-rc 2.86.ds1-2 Standard boot mechanism using symlinks in /e ii sysvinit 2.86.ds1-2 System-V like init ii tar 1.15.1-2 GNU tar ii tasksel 2.31 Tool for selecting tasks for installation on ii tcl8.4 8.4.11-1 Tcl (the Tool Command Language) v8.4 - run-t ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilities ii tcsh 6.14.00-1 TENEX C Shell, an enhanced version of Berkel ii telnet 0.17-30 The telnet client ii texinfo 4.7-2.2 Documentation system for on-line information ii time 1.7-21 The GNU time program for measuring cpu resou ii tk8.4 8.4.11-1 Tk toolkit for Tcl and X11, v8.4 - run-time ii traceroute 1.4a12-20 traces the route taken by packets over a TCP ii ttf-bitstream-vera 1.10-3 The Bitstream Vera family of free TrueType f ii ucf 2.001 Update Configuration File: preserves user ch ii usbutils 0.71-5 USB console utilities ii util-linux 2.12p-7 Miscellaneous system utilities ii w3m 0.5.1-4 WWW browsable pager with excellent tables/fr ii wamerican 5-4 American English dictionary words for /usr/s ii wget 1.10.1-1 retrieves files from the web ii whiptail 0.51.6-31 Displays user-friendly dialog boxes from she ii whois 4.7.8 the GNU whois client ii x-ttcidfont-conf 18 Configure TrueType and CID fonts for X ii x11-common 6.8.2.dfsg.1-7 X Window System (X.Org) infrastructure ii xlibs-data 6.8.2.dfsg.1-7 X Window System client data ii xml-core 0.09 XML infrastructure and XML catalog file supp ii xterm 6.8.2.dfsg.1-7 X terminal emulator ii xutils 6.8.2.dfsg.1-7 X Window System utility programs ii zile 2.2.2-1 very small emacs-like editor ii zlib1g 1.2.3-4 compression library - runtime -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-19 11:15 ` Dale Amon @ 2005-09-19 11:56 ` Luke Kenneth Casson Leighton 2005-09-19 12:12 ` Stephen Smalley 0 siblings, 1 reply; 20+ messages in thread From: Luke Kenneth Casson Leighton @ 2005-09-19 11:56 UTC (permalink / raw) To: Dale Amon; +Cc: selinux hiya dale, a quick search on google for "manoj selinux" showed two things, one of which is unavailable and could probably be obtained from google cache, and the other is this: http://wiki.debian.net/?SELinux oops. manoj's site isn't up. mirrors when it is, anyone? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-19 11:56 ` Luke Kenneth Casson Leighton @ 2005-09-19 12:12 ` Stephen Smalley 0 siblings, 0 replies; 20+ messages in thread From: Stephen Smalley @ 2005-09-19 12:12 UTC (permalink / raw) To: Luke Kenneth Casson Leighton; +Cc: Dale Amon, selinux On Mon, 2005-09-19 at 12:56 +0100, Luke Kenneth Casson Leighton wrote: > hiya dale, > > a quick search on google for "manoj selinux" showed two things, one of > which is unavailable and could probably be obtained from google cache, > and the other is this: > > http://wiki.debian.net/?SELinux > > oops. manoj's site isn't up. > > mirrors when it is, anyone? Manoj's site is: http://www.golden-gryphon.com/software/security/selinux.xhtml I already have it linked into the Debian page at the selinux sourceforge site, as well as listed in Manoj's entry in selinux-doc/CREDITS. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-18 21:58 ` Dale Amon 2005-09-18 22:48 ` Luke Kenneth Casson Leighton @ 2005-09-23 18:53 ` sswami 2005-09-23 20:02 ` Stephen Smalley 1 sibling, 1 reply; 20+ messages in thread From: sswami @ 2005-09-23 18:53 UTC (permalink / raw) To: Dale Amon; +Cc: Dale Amon, selinux Hello, I was trying to install SELinux using the 2.6 kernel. I have been using relevant packages from the coker site. When I do "make policy", I get the following error message: /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_avtab_insert: Type conflict! Out of memory - unable to check assertions. Check assertions failed. Can anyone please let me know what I should do to get rid of this? thanks saswati -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-23 18:53 ` sswami @ 2005-09-23 20:02 ` Stephen Smalley 0 siblings, 0 replies; 20+ messages in thread From: Stephen Smalley @ 2005-09-23 20:02 UTC (permalink / raw) To: sswami; +Cc: Russell Coker, Manoj Srivastava, Dale Amon, selinux [-- Attachment #1: Type: text/plain, Size: 1482 bytes --] On Fri, 2005-09-23 at 14:53 -0400, sswami@eden.rutgers.edu wrote: > I was trying to install SELinux using the 2.6 kernel. I have been using > relevant packages from the coker site. When I do "make policy", I get the > following error message: > > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > libsepol.expand_avtab_insert: Type conflict! > Out of memory - unable to check assertions. > Check assertions failed. > > Can anyone please let me know what I should do to get rid of this? There are a couple of issues here, as discussed previously in this thread: 1) There is a bug in libsepol, fixed in libsepol 1.9.1 upstream. Patch attached for your convenience. Requires rebuilding checkpolicy against the updated libsepol as checkpolicy uses the static libsepol. 2) There is a bug in policy, fixed in policy 1.27.1 upstream. I'll attach the specific diff that went into the upstream policy, but Dale reported that he had to manually apply the change because it didn't apply cleanly against the Debian policy. It is simply a matter of adding the etc_writer attribute to the kernel_t type declaration unconditionally (i.e. without the surrounding ifdef). I think that Debian libsepol is being maintained by Manoj, and Debian policy is being maintained by Russell. cc'd. However, note that Dale has reported other issues with Debian policy as well; see his postings for his workarounds so far. -- Stephen Smalley National Security Agency [-- Attachment #2: libsepol-1.9.1.diff --] [-- Type: text/x-patch, Size: 2341 bytes --] Index: libsepol/ChangeLog =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v retrieving revision 1.59 retrieving revision 1.60 diff -u -p -r1.59 -r1.60 --- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59 +++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60 @@ -1,3 +1,7 @@ +1.9.1 2005-09-09 + * Fixed expand_avtab and expand_cond_av_list to keep separate + entries with identical keys but different enabled flags. + 1.8 2005-09-06 * Updated version for release. Index: libsepol/VERSION =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v retrieving revision 1.54 retrieving revision 1.55 diff -u -p -r1.54 -r1.55 --- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54 +++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55 @@ -1 +1 @@ -1.8 +1.9.1 Index: libsepol/src/expand.c =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -p -r1.10 -r1.11 --- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10 +++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11 @@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d) { + avtab_ptr_t node; avtab_datum_t *avd; int rc; - - avd = avtab_search(a, k); - if (!avd) { + + node = avtab_search_node(a, k); + if (!node) { rc = avtab_insert(a, k, d); if (rc) DEBUG(__FUNCTION__, "Out of memory!\n"); return rc; } - + + if ((k->specified & AVTAB_ENABLED) != + (node->key.specified & AVTAB_ENABLED)) { + node = avtab_insert_nonunique(a, k, d); + if (!node) { + DEBUG(__FUNCTION__, "Out of memory!\n"); + return -1; + } + return 0; + } + + avd = &node->datum; switch (k->specified & ~AVTAB_ENABLED) { case AVTAB_ALLOWED: case AVTAB_AUDITALLOW: @@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li cond_av_list_t *nl; node = avtab_search_node(expa, k); - if (!node) { + if (!node || + (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) { node = avtab_insert_nonunique(expa, k, d); if (!node) { DEBUG(__FUNCTION__, "Out of memory!\n"); [-- Attachment #3: policy-kernel.diff --] [-- Type: text/x-patch, Size: 922 bytes --] Index: policy/domains/misc/kernel.te =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/misc/kernel.te,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- policy/domains/misc/kernel.te 5 Jul 2005 19:30:10 -0000 1.13 +++ policy/domains/misc/kernel.te 15 Sep 2005 08:14:12 -0000 1.14 @@ -11,7 +11,7 @@ # kernel_t is the domain of kernel threads. # It is also the target type when checking permissions in the system class. # -type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ; +type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ; role system_r types kernel_t; general_domain_access(kernel_t) general_proc_read_access(kernel_t) ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-17 23:31 State of Debian SELinux Dale Amon 2005-09-18 0:10 ` Jiann-Ming Su 2005-09-18 0:15 ` Luke Kenneth Casson Leighton @ 2005-09-19 12:27 ` Stephen Smalley 2005-09-20 18:10 ` Dale Amon 2 siblings, 1 reply; 20+ messages in thread From: Stephen Smalley @ 2005-09-19 12:27 UTC (permalink / raw) To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux [-- Attachment #1: Type: text/plain, Size: 3332 bytes --] On Sun, 2005-09-18 at 00:31 +0100, Dale Amon wrote: > I've set aside the next week to come back to SELinux > and evaluate if it's reached the point where I could > recommmend it for customer sites. > > So far Debian SELinux is looking pretty grim, and I'd > like feedback on whether there really is a straight > forward path to install it. By that I mean one with > out a lot of kludges and pain as in the long > (and already obsolete) description of the Debian > install in McCarty's O'Reilly book. > > I'm starting from a freshly burned Debian stable > install iso. I do a bog standard install up to > the point where the reboot brings you into aptitude. > I've tried both forks at that point; updating first > in sarge or cancelling. > > I change the sources.list to sid and add Russell's > newselinux package line; then I update and > after selecting all the appropriate packages (and > the 2.6.12 kernel) I upgrade. > > Problems: One, I have to deselect cups in the > policy default because it has an error that causes > the install to fail. > > But even without it no go. I assumed I had to > reboot to get the selinuxfs, so I did that. But > the boot complains about it and a manual mount /selinuxfs > claims the kernel doesn't know what it is. > > I checked the config; looks like everything associated > with selinux (and with xattr's on various file systems) > is selected. First, I'm not sure why you need to reboot to finish compiling the policy, as the kernel has nothing to do with the policy build. If selinuxfs isn't listed in /proc/filesystems, then SELinux is disabled in your kernel, either via the compile-time options or via the boot time parameter (which in Debian and SuSE defaults to selinux=0; you have to explicitly use selinux=1 to enable it). Fedora defaults to enabled. > The package will still not finish installing. The > error is: > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > libsepol.expand_abtab_insert: Type conflict! > Out of memory - unable to check assertions. > Check assertions failed. Hmmm...can you send me (just me, not the entire list) that policy.conf? Or apply the attached patch to your libsepol, rebuild it, rebuild checkpolicy against it (it uses the static lib), and try again? > I could fiddle a lot more, but that would be counter > productive: this time around I'm looking for a > reliable and straightforward install, not just > a bit of play time hacking. > > Is there an up to date description of the Debian > install? McCarty's book is *way* out of date; I > could not find a current install procedure on > Russell's site, although such might be buried in > one of his many find tutorials. > > Is there a current canonical 1-2-3 procedure for > going from the current debian iso to a fully > installed SELinux system? I don't mind if I have > to fiddle with policy afterwards, but I do want > the comfort of knowing I've got a reliable means > of installing and updating (or talking a customer > through it) if I am to consider using it for real. > > Of course the fact that sid seems to be required > is a *huge* negative to start with... I think that most of your questions can only be answered by Russell and/or Manoj, as they seem to be maintaining SELinux for Debian. -- Stephen Smalley National Security Agency [-- Attachment #2: libsepol-1.9.1.patch --] [-- Type: text/x-patch, Size: 2341 bytes --] Index: libsepol/ChangeLog =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v retrieving revision 1.59 retrieving revision 1.60 diff -u -p -r1.59 -r1.60 --- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59 +++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60 @@ -1,3 +1,7 @@ +1.9.1 2005-09-09 + * Fixed expand_avtab and expand_cond_av_list to keep separate + entries with identical keys but different enabled flags. + 1.8 2005-09-06 * Updated version for release. Index: libsepol/VERSION =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v retrieving revision 1.54 retrieving revision 1.55 diff -u -p -r1.54 -r1.55 --- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54 +++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55 @@ -1 +1 @@ -1.8 +1.9.1 Index: libsepol/src/expand.c =================================================================== RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -p -r1.10 -r1.11 --- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10 +++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11 @@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d) { + avtab_ptr_t node; avtab_datum_t *avd; int rc; - - avd = avtab_search(a, k); - if (!avd) { + + node = avtab_search_node(a, k); + if (!node) { rc = avtab_insert(a, k, d); if (rc) DEBUG(__FUNCTION__, "Out of memory!\n"); return rc; } - + + if ((k->specified & AVTAB_ENABLED) != + (node->key.specified & AVTAB_ENABLED)) { + node = avtab_insert_nonunique(a, k, d); + if (!node) { + DEBUG(__FUNCTION__, "Out of memory!\n"); + return -1; + } + return 0; + } + + avd = &node->datum; switch (k->specified & ~AVTAB_ENABLED) { case AVTAB_ALLOWED: case AVTAB_AUDITALLOW: @@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li cond_av_list_t *nl; node = avtab_search_node(expa, k); - if (!node) { + if (!node || + (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) { node = avtab_insert_nonunique(expa, k, d); if (!node) { DEBUG(__FUNCTION__, "Out of memory!\n"); ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-19 12:27 ` Stephen Smalley @ 2005-09-20 18:10 ` Dale Amon 2005-09-20 20:14 ` Stephen Smalley 0 siblings, 1 reply; 20+ messages in thread From: Dale Amon @ 2005-09-20 18:10 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux [-- Attachment #1: Type: text/plain, Size: 4198 bytes --] On Mon, Sep 19, 2005 at 08:27:50AM -0400, Stephen Smalley wrote: > Index: libsepol/ChangeLog > =================================================================== > RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v > retrieving revision 1.59 > retrieving revision 1.60 > diff -u -p -r1.59 -r1.60 > --- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59 > +++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60 > @@ -1,3 +1,7 @@ > +1.9.1 2005-09-09 > + * Fixed expand_avtab and expand_cond_av_list to keep separate > + entries with identical keys but different enabled flags. > + > 1.8 2005-09-06 > * Updated version for release. > > Index: libsepol/VERSION > =================================================================== > RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v > retrieving revision 1.54 > retrieving revision 1.55 > diff -u -p -r1.54 -r1.55 > --- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54 > +++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55 > @@ -1 +1 @@ > -1.8 > +1.9.1 > Index: libsepol/src/expand.c > =================================================================== > RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v > retrieving revision 1.10 > retrieving revision 1.11 > diff -u -p -r1.10 -r1.11 > --- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10 > +++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11 > @@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli > > static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d) > { > + avtab_ptr_t node; > avtab_datum_t *avd; > int rc; > - > - avd = avtab_search(a, k); > - if (!avd) { > + > + node = avtab_search_node(a, k); > + if (!node) { > rc = avtab_insert(a, k, d); > if (rc) > DEBUG(__FUNCTION__, "Out of memory!\n"); > return rc; > } > - > + > + if ((k->specified & AVTAB_ENABLED) != > + (node->key.specified & AVTAB_ENABLED)) { > + node = avtab_insert_nonunique(a, k, d); > + if (!node) { > + DEBUG(__FUNCTION__, "Out of memory!\n"); > + return -1; > + } > + return 0; > + } > + > + avd = &node->datum; > switch (k->specified & ~AVTAB_ENABLED) { > case AVTAB_ALLOWED: > case AVTAB_AUDITALLOW: > @@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li > cond_av_list_t *nl; > > node = avtab_search_node(expa, k); > - if (!node) { > + if (!node || > + (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) { > node = avtab_insert_nonunique(expa, k, d); > if (!node) { > DEBUG(__FUNCTION__, "Out of memory!\n"); To save time I did this in a chroot. The debian version is 1.8-1; your patch applied cleanly against this. I incremented the changelog to reflect the version change and built 1.9-1 debian packages which installed. However, rerunning dselect still shows the same error messages as before. Reading package lists... Done Building dependency tree... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 0B of archives. After unpacking 0B of additional disk space will be used. Do you want to continue [Y/n]? Setting up selinux-policy-default (1.18-1) ... /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_avtab_insert: Type conflict! Out of memory - unable to check assertions Check assertions failed. make: *** [/etc/selinux/policy/policy.20] Error 255 dpkg: error processing selinux-policy-default (--configure): subprocess post-installation script returned error exit status 2 Errors were encountered while processing: selinux-policy-default I could swap the drives out and try this live instead of from chroot, but I doubt it would matter. Suggestions? -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-20 18:10 ` Dale Amon @ 2005-09-20 20:14 ` Stephen Smalley 2005-09-22 19:41 ` Stephen Smalley 0 siblings, 1 reply; 20+ messages in thread From: Stephen Smalley @ 2005-09-20 20:14 UTC (permalink / raw) To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux On Tue, 2005-09-20 at 19:10 +0100, Dale Amon wrote: > Setting up selinux-policy-default (1.18-1) ... > /usr/bin/checkpolicy: loading policy configuration from policy.conf > libsepol.expand_avtab_insert: Type conflict! > Out of memory - unable to check assertions > Check assertions failed. > make: *** [/etc/selinux/policy/policy.20] Error 255 <snip> > Suggestions? Yes, send me (privately) a copy of the policy.conf file. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-20 20:14 ` Stephen Smalley @ 2005-09-22 19:41 ` Stephen Smalley 2005-09-22 21:31 ` Dale Amon 0 siblings, 1 reply; 20+ messages in thread From: Stephen Smalley @ 2005-09-22 19:41 UTC (permalink / raw) To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux On Tue, 2005-09-20 at 16:14 -0400, Stephen Smalley wrote: > On Tue, 2005-09-20 at 19:10 +0100, Dale Amon wrote: > > Setting up selinux-policy-default (1.18-1) ... > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > > libsepol.expand_avtab_insert: Type conflict! > > Out of memory - unable to check assertions > > Check assertions failed. > > make: *** [/etc/selinux/policy/policy.20] Error 255 > <snip> > > Suggestions? > > Yes, send me (privately) a copy of the policy.conf file. Just to follow-up on list, after receiving the policy.conf file in question, I found that: 1) The erroneous output from checkpolicy above is corrected by the diff I posted for libsepol (1.8->1.9.1) that was already in sourceforge CVS. Note that checkpolicy has to be rebuilt to pick up the patched libsepol, as it uses the static library. 2) With the libsepol fix applied and checkpolicy rebuilt, checkpolicy then reports legitimate assertion failures on some conditional rules in the policy.conf. These particular assertion failures were due to the etc_writer attribute on the kernel_t type being wrapped by an obsolete ifdef leftover from when we were using compile-time tunables rather than runtime policy booleans for nfs exports. Older versions of checkpolicy weren't checking the conditional rules against the assertions, so they wouldn't report this failure. The policy fix is to add the etc_writer attribute unconditionally to the kernel_t type, and was already in sourceforge CVS. 3) With the policy fix applied, checkpolicy successfully compiles the policy.conf file. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-22 19:41 ` Stephen Smalley @ 2005-09-22 21:31 ` Dale Amon 2005-09-22 21:38 ` Dale Amon 0 siblings, 1 reply; 20+ messages in thread From: Dale Amon @ 2005-09-22 21:31 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux [-- Attachment #1: Type: text/plain, Size: 1517 bytes --] Further hacks to get Debian policy to install. These are missing: touch file_contexts/program/dante.fc touch file_contexts/program/winbind.fc These file contexts are duplicated /etc/selinux/contexts/files/file_contexts: Multiple same specifications for /usr/lib(64)?/netsaint/plugins(/.*)?. /etc/selinux/contexts/files/file_contexts: Multiple same specifications for /usr/lib(64)?/nagios/plugins(/.*)?. In these files: file_contexts/program/nagios.fc:/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t file_contexts/program/nrpe.fc:/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t file_contexts/program/nagios.fc:/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t file_contexts/program/nrpe.fc:/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t These may have just been fixed since I last updated... I will have to reload policy from scratch to confirm that. Cups.te has an error: domains/program/cups.te:245:ERROR 'unknown type rpm_var_lib_t' at token ';' on line 140828: #line 245 allow cupsd_config_t rpm_var_lib_t:file { getattr read }; -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-22 21:31 ` Dale Amon @ 2005-09-22 21:38 ` Dale Amon 2005-09-22 22:43 ` Dale Amon 0 siblings, 1 reply; 20+ messages in thread From: Dale Amon @ 2005-09-22 21:38 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux [-- Attachment #1: Type: text/plain, Size: 800 bytes --] The error in cups.te occurs because a reference to allow cupsd_config_t rpm_var_lib_t:file { getattr read }; occurs outside of the earlier conditional: ifdef(`distro_redhat', ` ifdef(`rpm.te', ` allow cupsd_config_t rpm_var_lib_t:dir { getattr search }; allow cupsd_config_t rpm_var_lib_t:file { getattr read }; ') allow cupsd_config_t initrc_exec_t:file getattr; ')dnl end distro_redhat That looks like a Coker to me ;-) -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux 2005-09-22 21:38 ` Dale Amon @ 2005-09-22 22:43 ` Dale Amon 0 siblings, 0 replies; 20+ messages in thread From: Dale Amon @ 2005-09-22 22:43 UTC (permalink / raw) To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux [-- Attachment #1: Type: text/plain, Size: 1147 bytes --] Okay, I've got the debian selinux-policy-default package to install finally. These are the hacks I used: cd file_contexts/program/ touch dante.fc winbind.fc #This is not required, but gets rid of an error msg #edit nrpe.fc and comment out two lines: # #/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t # #/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t cd ../../domains/misc #edit kernel.te, make line look like: # type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, etc_writer ; cd ../programs #edit rpm.te and put conditional around line: # ifdef(`rpm.te', ` # allow cupsd_config_t rpm_var_lib_t:file { getattr read }; # ') I won't guarantee my hacks are right, but they get me through dselect at least. -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------ [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2005-09-23 20:02 UTC | newest] Thread overview: 20+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-09-17 23:31 State of Debian SELinux Dale Amon 2005-09-18 0:10 ` Jiann-Ming Su 2005-09-18 9:47 ` Dale Amon 2005-09-18 0:15 ` Luke Kenneth Casson Leighton 2005-09-18 9:58 ` Dale Amon 2005-09-18 10:42 ` Luke Kenneth Casson Leighton 2005-09-18 21:58 ` Dale Amon 2005-09-18 22:48 ` Luke Kenneth Casson Leighton 2005-09-19 11:15 ` Dale Amon 2005-09-19 11:56 ` Luke Kenneth Casson Leighton 2005-09-19 12:12 ` Stephen Smalley 2005-09-23 18:53 ` sswami 2005-09-23 20:02 ` Stephen Smalley 2005-09-19 12:27 ` Stephen Smalley 2005-09-20 18:10 ` Dale Amon 2005-09-20 20:14 ` Stephen Smalley 2005-09-22 19:41 ` Stephen Smalley 2005-09-22 21:31 ` Dale Amon 2005-09-22 21:38 ` Dale Amon 2005-09-22 22:43 ` Dale Amon
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.