Problems finding working kernel/user land combination

["Dave Gilbert (Home)" <gilbertd@treblig.org>]

Hi,
   I've been following the document 'Getting Started With SE Linux 
HOWTO' by Faye Coker (12 March 2003) and am having problems. Any help 
much appreciated.

I'm using Debian Woody and the 'stable' set of tools from Brian May 
(www.microcomaustralia.com.au)

If I build the latest NSA kernel source the user land tools don't 
recognise that SELinux is in the kernel:

id -c :

Sorry, --context (-c) can be used only on a flask-enabled kernel.

yet the boot messages contain:

SELinux:  Initializing.
SELinux:  Starting in permissive mode
There is already a security framework initialized, register_security failed.
Failure registering capabilities with the kernel
selinux_register_security:  Registering secondary module capability
Capability LSM initialized


which I've read is normal behaviour (is it?)

An strace of 'id' shows:

SYS_223(0xf97cff8c, 0xc, 0, 0x400135cc) = -1 ENOSYS (Function not 
implemented)

There is an selinuxfs that I can mount and I can see files
'access  context  create  enforce  load  policyvers  relabel  user'
but they give invalid argument if I try and cat them.

I have:

CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y

-----------------------

OK - so that doesn't work; and I'm thinking I need to try a different 
kernel patch set.
So I download the patches from www.coker.com.au/newselinux/kern

and after battling through adding the ea, acl and nfsacl patches
I then patch the coker lsm patches on.

This has two problems:
   1) A minor reject in tcp_ipv4.c that appears easy to fix
   2) Line 666 (gulp!) of ip_output.c has:

   security_ip_fragment(skb2, skb);

   but there doesn't appear to be an skb2 in that context.

------------------------

So in short; does anyone have a known good set of kernel patches that 
actually work, or a set of userland tools for Debian/stable that work 
with the NSA kernel?

Thanks in advance,

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.