Debian SELinux backports project

Debian SELinux backports project

[Erich Schubert]

Hi,
I've started a SELinux project on Alioth, with the goal of providing
backports of all SELinux related packages for Debian *stable*.
Since all the up-to-date SELinux stuff is only in unstable.
I'm running a couple of servers on stable with backports, so I can as
well upload them.

If you are interested in joining this effort, please contact me. I also
want to collect installation information and similar stuff for Debian
stable, I guess the best place to put them is the Debian Wiki.

I've already setup some pages there:
http://wiki.debian.org/SELinux
http://wiki.debian.org/SELinuxStatus
the latter is especially useful, since it contains a list of bug reports
related to SELinux on Debian.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C   (o_
   There was never a good war or a bad peace. - Benjamin Franklin   //\
            Es ist besser, geliebt und verloren zu haben,           V_/_
                    als niemals geliebt zu haben.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian SELinux backports project

[Luke Kenneth Casson Leighton]

erich, hi,

the joyous sticking point: what to do about the kernel?

do you intend to:

a) stick with a 2.6.8 kernel, unmodified
b) require a 2.6.14+ (whatever)
c) stick with a 2.6.8 kernel, backporting all the selinux
   kernel modifications to date _back_ into 2.6.8

b) _would_ be the simplest - let's hope gcc 4.0 doesn't get in the way,
or more specifically, let's hope that the unmodified 2.6.14+ debian
kernels will work as-is.

l.

On Thu, Nov 17, 2005 at 02:05:10PM +0100, Erich Schubert wrote:
> Hi,
> I've started a SELinux project on Alioth, with the goal of providing
> backports of all SELinux related packages for Debian *stable*.
> Since all the up-to-date SELinux stuff is only in unstable.
> I'm running a couple of servers on stable with backports, so I can as
> well upload them.
> 
> If you are interested in joining this effort, please contact me. I also
> want to collect installation information and similar stuff for Debian
> stable, I guess the best place to put them is the Debian Wiki.
> 
> I've already setup some pages there:
> http://wiki.debian.org/SELinux
> http://wiki.debian.org/SELinuxStatus
> the latter is especially useful, since it contains a list of bug reports
> related to SELinux on Debian.
> 
> best regards,
> Erich Schubert
> -- 
>     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C   (o_
>    There was never a good war or a bad peace. - Benjamin Franklin   //\
>             Es ist besser, geliebt und verloren zu haben,           V_/_
>                     als niemals geliebt zu haben.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian SELinux backports project

[Erich Schubert]

Hi Luke,
I'll not support older kernels. I'll recommend to either build your own
kernel, or get the linux-image 2.6.14+ from unstable.
Fortunately, the linux kernel doesn't depend on much userspace programs.
Obviously, the kernel cannot depend on a library, which is very
nice. ;-)
But the debian "vanilla" kernels do depend on a tool to generate
appropriate init ramdisks, so I'll probably include an unmodified
"backport" of yaird or one of the other initrd tool, once I've decided
which I prefer. Yaird worked okay on a test machine of mine, but not on
a second one, unfortunately; but I don't know why yet... Looked like
some module was missing for mounting the root which is on software raid;
the "old" kernel had these drivers built in, making it of course harder
for yaird to detect the appropriate modules...

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
  A polar bear is a rectangular bear after a coordinate transform.   //\
       Signatur befindet sich auf der Rückseite dieser E-Mail.       V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Debian SELinux backports project

[Dale Amon]

[-- Attachment #1: Type: text/plain, Size: 1901 bytes --]

On Thu, Nov 17, 2005 at 03:27:24PM +0100, Erich Schubert wrote:
> Hi Luke,
> I'll not support older kernels. I'll recommend to either build your own
> kernel, or get the linux-image 2.6.14+ from unstable.
> Fortunately, the linux kernel doesn't depend on much userspace programs.
> Obviously, the kernel cannot depend on a library, which is very
> nice. ;-)
> But the debian "vanilla" kernels do depend on a tool to generate
> appropriate init ramdisks, so I'll probably include an unmodified
> "backport" of yaird or one of the other initrd tool, once I've decided
> which I prefer. Yaird worked okay on a test machine of mine, but not on
> a second one, unfortunately; but I don't know why yet... Looked like
> some module was missing for mounting the root which is on software raid;
> the "old" kernel had these drivers built in, making it of course harder
> for yaird to detect the appropriate modules...

I've spent loads of time on the Debian battle myself ;-)

One of the issues with the kernel is that last time I
looked, even the kernel source packages in etch were
rather oldish. I'm not against doing my own from scratch
from kernel.org, but for operational systems it is better
to depend on official debian kernel sources if at all
possible.

I expect I will come back to the selinux debian problem
within the next couple weeks as it is on my whiteboard
as something I would like to use in development project 
I'm currently working on.

FWIW, count me in.

-- 
------------------------------------------------------
             Artemis Systems Development
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Debian SELinux backports project

[Erich Schubert]

Hi folks,
http://selinux.alioth.debian.org/ is up with a tiny bit of information,
as well as a dozen of (yet untested) packages, as well as an extensive
backporting howto
at http://selinux.alioth.debian.org/sesarge/HOWTO-Backport.txt

I currently don't have a box at hand to test the backports... maybe I'll
be able to organize one the next days, but I cannot promise. Basically I
just redid my earlier work on backports (but which I didn't upload to a
public location) a bit more formally and documented every step in above
HOWTO.
The changes I did to the packges are so tiny, the only thing that might
be broken are the cronjob changes in cron.daily/standard - I didn't test
them "literally" yet. So there might still be a typo in there. But
nothing serious, it will probably just give you some more SELinux audits
to care about.

best regards,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     Which is worse: ignorance or apathy? Who knows? Who cares?     //\
               Für jedes Problem gibt es eine Lösung,               V_/_
                 die einfach, klar und falsch ist.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.