new Debian package

new Debian package

[Russell Coker]

I've just uploaded a new "selinux" package to Debian and to my site.

It has the new .fc file method for setfiles, all the latest setfiles patches, 
and quite a number of changes to the policy files with M4 macros to allow you 
to easily remove a .te file and have the policy still compile.

Enjoy!

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Russell Coker]

On Thu, 25 Apr 2002 14:30, you wrote:
> Does this mean that you've inserted appropriate ifdef's throughout
> the .te files for all inter-domain dependencies?  If so, that's great!

Not all, just all the ones that bit me over the installations of three 
machines with significantly different uses.

Reading through all the .te's and analysing them for potential problems is 
more work than I wanted to get into, so I just fixed the things that bit me 
(I think I got all the most common ones) and I'll wait for bug reports now.

I'll post some patches soon for this type of thing.

Also with the current Makefile rules we need the following empty files:
file_contexts/program/custom.fc
file_contexts/program/kernel.fc
file_contexts/program/kmod.fc

I haven't worked out how to remove this need so I've just added the empty 
files to my package.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Stephen Smalley]

On Thu, 25 Apr 2002, Russell Coker wrote:

> Also with the current Makefile rules we need the following empty files:
> file_contexts/program/custom.fc
> file_contexts/program/kernel.fc
> file_contexts/program/kmod.fc
>
> I haven't worked out how to remove this need so I've just added the empty
> files to my package.

Yes, I did the same in our internal tree (except I didn't need custom.fc,
whatever that is, and I also needed an empty mail.fc since sendmail.fc
covered both the daemon domain and the user program domains for sendmail).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Russell Coker]

On Thu, 25 Apr 2002 16:00, Stephen Smalley wrote:
> On Thu, 25 Apr 2002, Russell Coker wrote:
> > Also with the current Makefile rules we need the following empty files:
> > file_contexts/program/custom.fc
> > file_contexts/program/kernel.fc
> > file_contexts/program/kmod.fc
> >
> > I haven't worked out how to remove this need so I've just added the empty
> > files to my package.
>
> Yes, I did the same in our internal tree (except I didn't need custom.fc,

Sorry, as you may have guessed custom.te is my file for machine-specific 
configuration which is outside the sample policy.  There are a few domains 
where I need to add some extra rules, and I find it easier to manage things 
by having those extra rules all in one file (where I can see all the 
additions to the standard policy) and having the main .te files for each 
domain just being copies of the default files.

> whatever that is, and I also needed an empty mail.fc since sendmail.fc
> covered both the daemon domain and the user program domains for sendmail).

I just removed mail.te.  It's not really needed.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

new Debian package

[Russell Coker]

I've just uploaded a new Debian package, this one has the latest patches and 
new policy that works a lot better.  I now have a Debian machine running in 
enforcing mode with a policy that is not much different from the default in 
my package.  It's running as an ADSL gateway machine (pppoatm with SpeedTouch 
USB driver), a web server, and has the courier POP server running.

As the basic stuff is working it won't be too difficult for you to add 
support for other daemons etc.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Debian User]

Russell Coker wrote:

>I've just uploaded a new Debian package, this one has the latest patches and 
>new policy that works a lot better.  I now have a Debian machine running in 
>enforcing mode with a policy that is not much different from the default in 
>my package.  It's running as an ADSL gateway machine (pppoatm with SpeedTouch 
>USB driver), a web server, and has the courier POP server running.
>
>As the basic stuff is working it won't be too difficult for you to add 
>support for other daemons etc.
>
I tried it just now policy compilation fails with:

/usr/sbin/checkpolicy -o policy.9 policy.conerror in the statement 
ending on line 13924 (token ';'): unknown type ipsec_file_t

/usr/sbin/checkpolicy: error(s) encountered while parsing configuration

make: *** [policy.9] Error 1





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Russell Coker]

On Sun, 26 May 2002 03:36, Debian User wrote:
> >I've just uploaded a new Debian package, this one has the latest patches
> > and new policy that works a lot better.  I now have a Debian machine
> > running in enforcing mode with a policy that is not much different from
> > the default in my package.  It's running as an ADSL gateway machine
> > (pppoatm with SpeedTouch USB driver), a web server, and has the courier
> > POP server running.
> >
> >As the basic stuff is working it won't be too difficult for you to add
> >support for other daemons etc.
>
> I tried it just now policy compilation fails with:
>
> /usr/sbin/checkpolicy -o policy.9 policy.conerror in the statement
> ending on line 13924 (token ';'): unknown type ipsec_file_t
>
> /usr/sbin/checkpolicy: error(s) encountered while parsing configuration

This means that some file you are using has a rule involving the ipsec_file_t 
while you have not included the ipsec.te file.  Including ipsec.te is one way 
of solving the problem, but a better solution (if you don't want ipsec) is to 
find the file in question and fix it.

Old versions of initrc.te had the following:
allow initrc_t ipsec_file_t:file { read ioctl };
allow initrc_t ipsec_var_run_t:sock_file { read write };

New versions have this replacement to solve the problem:
ifdef(`ipsec.te',
`allow initrc_t ipsec_file_t:file { read ioctl };
allow initrc_t ipsec_var_run_t:sock_file { read write };')

Maybe you are using an old version of initrc.te?

If not then please send me the contents of line 13924 so I can work out the 
source of this.

Steve, I think that it would be good if the checkpolicy program displayed the 
entire line that caused the error when it can't compile a policy.  Having to 
load the policy file in vi and type :123... repeatedly gets tiring...

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Russell Coker]

On Sun, 26 May 2002 08:45, Russell Coker wrote:
> On Sun, 26 May 2002 03:36, Debian User wrote:
> > >I've just uploaded a new Debian package, this one has the latest patches
> > > and new policy that works a lot better.  I now have a Debian machine
> > > running in enforcing mode with a policy that is not much different from
> > > the default in my package.  It's running as an ADSL gateway machine
> > > (pppoatm with SpeedTouch USB driver), a web server, and has the courier
> > > POP server running.
> > >
> > >As the basic stuff is working it won't be too difficult for you to add
> > >support for other daemons etc.
> >
> > I tried it just now policy compilation fails with:
> >
> > /usr/sbin/checkpolicy -o policy.9 policy.conerror in the statement
> > ending on line 13924 (token ';'): unknown type ipsec_file_t
> >
> > /usr/sbin/checkpolicy: error(s) encountered while parsing configuration
>
> This means that some file you are using has a rule involving the
> ipsec_file_t while you have not included the ipsec.te file.  Including
> ipsec.te is one way of solving the problem, but a better solution (if you
> don't want ipsec) is to find the file in question and fix it.

As a follow up to this, that turned out to be a bug in my sample policy.  
Just remove the lines in question from initrc.te.

-- 
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new Debian package

[Debian User]

Russell Coker wrote:

>On Sun, 26 May 2002 08:45, Russell Coker wrote:
>
>>On Sun, 26 May 2002 03:36, Debian User wrote:
>>
>>>>I've just uploaded a new Debian package, this one has the latest patches
>>>>and new policy that works a lot better.  I now have a Debian machine
>>>>running in enforcing mode with a policy that is not much different from
>>>>the default in my package.  It's running as an ADSL gateway machine
>>>>(pppoatm with SpeedTouch USB driver), a web server, and has the courier
>>>>POP server running.
>>>>
>>>>As the basic stuff is working it won't be too difficult for you to add
>>>>support for other daemons etc.
>>>>
>>>I tried it just now policy compilation fails with:
>>>
>>>/usr/sbin/checkpolicy -o policy.9 policy.conerror in the statement
>>>ending on line 13924 (token ';'): unknown type ipsec_file_t
>>>
>>>/usr/sbin/checkpolicy: error(s) encountered while parsing configuration
>>>
>>This means that some file you are using has a rule involving the
>>ipsec_file_t while you have not included the ipsec.te file.  Including
>>ipsec.te is one way of solving the problem, but a better solution (if you
>>don't want ipsec) is to find the file in question and fix it.
>>
>
>As a follow up to this, that turned out to be a bug in my sample policy.  
>Just remove the lines in question from initrc.te.
>
Well i got my old and new policy files mixed up and there was a bug. I 
do need ipsec.



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.