Problems finding working kernel/user land combination

Problems finding working kernel/user land combination

[Dave Gilbert (Home)]

Hi,
   I've been following the document 'Getting Started With SE Linux 
HOWTO' by Faye Coker (12 March 2003) and am having problems. Any help 
much appreciated.

I'm using Debian Woody and the 'stable' set of tools from Brian May 
(www.microcomaustralia.com.au)

If I build the latest NSA kernel source the user land tools don't 
recognise that SELinux is in the kernel:

id -c :

Sorry, --context (-c) can be used only on a flask-enabled kernel.

yet the boot messages contain:

SELinux:  Initializing.
SELinux:  Starting in permissive mode
There is already a security framework initialized, register_security failed.
Failure registering capabilities with the kernel
selinux_register_security:  Registering secondary module capability
Capability LSM initialized


which I've read is normal behaviour (is it?)

An strace of 'id' shows:

SYS_223(0xf97cff8c, 0xc, 0, 0x400135cc) = -1 ENOSYS (Function not 
implemented)

There is an selinuxfs that I can mount and I can see files
'access  context  create  enforce  load  policyvers  relabel  user'
but they give invalid argument if I try and cat them.

I have:

CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y

-----------------------

OK - so that doesn't work; and I'm thinking I need to try a different 
kernel patch set.
So I download the patches from www.coker.com.au/newselinux/kern

and after battling through adding the ea, acl and nfsacl patches
I then patch the coker lsm patches on.

This has two problems:
   1) A minor reject in tcp_ipv4.c that appears easy to fix
   2) Line 666 (gulp!) of ip_output.c has:

   security_ip_fragment(skb2, skb);

   but there doesn't appear to be an skb2 in that context.

------------------------

So in short; does anyone have a known good set of kernel patches that 
actually work, or a set of userland tools for Debian/stable that work 
with the NSA kernel?

Thanks in advance,

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Brian May]

>>>>> "Dave" == Dave Gilbert (Home) <gilbertd@treblig.org> writes:

    Dave> Hi, I've been following the document 'Getting Started With
    Dave> SE Linux HOWTO' by Faye Coker (12 March 2003) and am having
    Dave> problems. Any help much appreciated.

    Dave> I'm using Debian Woody and the 'stable' set of tools from
    Dave> Brian May (www.microcomaustralia.com.au)

Hello,

Currently the "stable" set of tools are all for the old selinux,
I suspect you have a kernel with the new selinux.

These packages, for woody, are still in the "unstable" section of my
archive.

Unless anybody has any serious objections, I plan to delete the old
selinux files in my "stable" archive and replace them with the new
selinux files in my "unstable" archive.
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Dave Gilbert (Home)]

Brian May wrote:

Hi Brian,

> Currently the "stable" set of tools are all for the old selinux,
> I suspect you have a kernel with the new selinux.

This indeed seems to be the case;  after yesterdays discussions I 
successfully built myself an old selinux kernel and got it to work with 
the packages I had installed. Thanks to both yourself and Russell for 
explaining this.

> These packages, for woody, are still in the "unstable" section of my
> archive.
> 
> Unless anybody has any serious objections, I plan to delete the old
> selinux files in my "stable" archive and replace them with the new
> selinux files in my "unstable" archive.

Hmm - I'm confused - if I look in 
/debian/dists/unstable/selinux/binary-i386/Packages
on your site I just see dpkg, dpkg-dev and dpkg-doc
can you give me an exact sources.list line?

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Brian May]

>>>>> "Dave" == Dave Gilbert (Home) <gilbertd@treblig.org> writes:

    >> These packages, for woody, are still in the "unstable" section of my
    >> archive.
    >> Unless anybody has any serious objections, I plan to delete the old
    >> selinux files in my "stable" archive and replace them with the new
    >> selinux files in my "unstable" archive.

    Dave> Hmm - I'm confused - if I look in
    Dave> /debian/dists/unstable/selinux/binary-i386/Packages
    Dave> on your site I just see dpkg, dpkg-dev and dpkg-doc
    Dave> can you give me an exact sources.list line?

You will need to use the "main" section as well as the "selinux"
section.  The "selinux" section is obsolete, as maintaining two
sections become difficult under certain circumstances.

dpkg must be the only package I haven't yet moved...
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Dave Gilbert (Home)]

Brian May wrote:
>>>>>>"Dave" == Dave Gilbert (Home) <gilbertd@treblig.org> writes:

> You will need to use the "main" section as well as the "selinux"
> section.  The "selinux" section is obsolete, as maintaining two
> sections become difficult under certain circumstances.
> 
> dpkg must be the only package I haven't yet moved...

Thank you! It now works.

The only remaining gotcha was that the old HOWTO that I had made a big 
point of warning you that the first thing you had to install was the 
'login' package - which now doesn't have an selinux version.

So - to summarise (for those reading this in the future - is the archive 
working?); to get SELinux working on Debian/woody:

   * Get the kernel patches (lsm and exec-shield) off Russell Coker's site
   * Get the standard debian 2.4.24 kernel package (from the main debian 
pool) and the debian kernel-patch-acl package
   * To the standard kernel apply the kernel-patch-acl patches (if you 
are doing it by hand that has to be in the order ea, acl, nfsacl)
   * Apply the exec-shield patch
   * apply the lsm patch

Add:


deb http://www.microcomaustralia.com.au/debian unstable selinux main

to your sources.list

and follow the instructions from the *new* selinux howto - that will be 
the one that tells you to mount /selinux and doesn't mention the 'login' 
package.

Note: When installing the packages it is best to do one big apt-get line 
rather than one at a time - doing them individually has a nasty habit of 
removing other packages.

Thanks,

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Russell Coker]

On Wed, 4 Feb 2004 06:12, "Dave Gilbert (Home)" <gilbertd@treblig.org> wrote:
> I'm using Debian Woody and the 'stable' set of tools from Brian May
> (www.microcomaustralia.com.au)

It appears that the "stable" repository on Brian's site is for old SE Linux 
and "unstable" is for new SE Linux.  I've updated my web site to describe 
this.

Brian, what are your plans for this?  Do you plan to make the new SE Linux 
packages migrate to "stable" on your site?

> An strace of 'id' shows:
>
> SYS_223(0xf97cff8c, 0xc, 0, 0x400135cc) = -1 ENOSYS (Function not
> implemented)

SYS_223 is the LSM system call from the old SE Linux.

> OK - so that doesn't work; and I'm thinking I need to try a different
> kernel patch set.
> So I download the patches from www.coker.com.au/newselinux/kern
>
> and after battling through adding the ea, acl and nfsacl patches
> I then patch the coker lsm patches on.
>
> This has two problems:
>    1) A minor reject in tcp_ipv4.c that appears easy to fix
>    2) Line 666 (gulp!) of ip_output.c has:
>
>    security_ip_fragment(skb2, skb);
>
>    but there doesn't appear to be an skb2 in that context.

Sounds like you aren't applying the patches to the Debian kernel source.  If 
you get kernel-patch-debian-2.4.24 and apply it first then everything should 
be fine.

Regarding the skb2, that's because the patch gets applied to the wrong 
function.  Look at the context after the added line and it should be easy to 
manually put in.

But using 2.6.1 is probably easier.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Dave Gilbert (Home)]

Russell Coker wrote:
> On Wed, 4 Feb 2004 06:12, "Dave Gilbert (Home)" <gilbertd@treblig.org> wrote:

Hi Russell,
   Thanks for the swift reply,

> 
> It appears that the "stable" repository on Brian's site is for old SE Linux 
> and "unstable" is for new SE Linux.  I've updated my web site to describe 
> this.

Thanks.

>>An strace of 'id' shows:
>>
>>SYS_223(0xf97cff8c, 0xc, 0, 0x400135cc) = -1 ENOSYS (Function not
>>implemented)
> 
> 
> SYS_223 is the LSM system call from the old SE Linux.

Perhaps it would be nice if new-LSM logged something like 'Your using 
the old userland tools' as a clue.

> Sounds like you aren't applying the patches to the Debian kernel source.  If 
> you get kernel-patch-debian-2.4.24 and apply it first then everything should 
> be fine.

Thanks; I'll give that a go.

So am I OK applying the kernel-patch-2.4-oldlsm_2003.08.13-8 - should 
that work with Brians tools ?
(If not then I guess its a case of downloading the source to your tool 
packages and rebuilding).

> But using 2.6.1 is probably easier.

Indeed; while my own experiences with 2.6.1 on my home machine are 
mostly positive, I'm not really ready to trust its stability on an 
important machine.

Thanks again for the swift response,

Dave


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Brian May]

>>>>> "Dave" == Dave Gilbert (Home) <gilbertd@treblig.org> writes:

    Dave> So am I OK applying the kernel-patch-2.4-oldlsm_2003.08.13-8
    Dave> - should that work with Brians tools ?  (If not then I guess
    Dave> its a case of downloading the source to your tool packages
    Dave> and rebuilding).

No, don't downgrade; I plan to remove the old stuff. Read my
"previous" response.

I replied almost immediately, but it doesn't seem to have got to the
mailing list yet; I have just realized that the mail server holding
the mailing list doesn't like ECN...
-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Russell Coker]

On Wed, 4 Feb 2004 20:37, "Dave Gilbert (Home)" <gilbertd@treblig.org> wrote:
> So am I OK applying the kernel-patch-2.4-oldlsm_2003.08.13-8 - should
> that work with Brians tools ?

That will work with the tools you have installed.  But it's probably better to 
just upgrade to the new SE Linux.  So install the new tools from the 
"unstable" part of Brian's repository.

> > But using 2.6.1 is probably easier.
>
> Indeed; while my own experiences with 2.6.1 on my home machine are
> mostly positive, I'm not really ready to trust its stability on an
> important machine.

Well you can use 2.4.x kernels with the new SE Linux.  But there are delays in 
getting things working when a new 2.4.x kernel comes out.  Also LSM conflicts 
with most other significant kernel patches, which limits what you can do.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Hi all,

I'm trying to follow the trail for installing SELinux on Debian unstable, 
as helpfully documented by Dave Gilbert (see below). Thanks, Dave!

However, I'm having difficulty with the Selinux-policy-default package, 
which Dselect complains is not compatible with Policycoreutils. I plan to 
start over with a very minimal Debian installation on the hypothesis that 
one or more of the SELinux package versions has been obsoleted by a 
non-SELinux package. Can anyone offer other suggestions for installing 
SELinux under Debian, whether stable or unstable?

Cheers,

--On Tuesday, February 03, 2004 7:12 PM +0000 "Dave Gilbert (Home)" 
<gilbertd@treblig.org> wrote:

> So - to summarise (for those reading this in the future - is the archive
> working?); to get SELinux working on Debian/woody:
>
>    * Get the kernel patches (lsm and exec-shield) off Russell Coker's site
>    * Get the standard debian 2.4.24 kernel package (from the main debian
> pool) and the debian kernel-patch-acl package    * To the standard kernel
> apply the kernel-patch-acl patches (if you are doing it by hand that has
> to be in the order ea, acl, nfsacl)    * Apply the exec-shield patch
>    * apply the lsm patch
>
> Add:
>
>
> deb http://www.microcomaustralia.com.au/debian unstable selinux main
>
> to your sources.list
>
> and follow the instructions from the *new* selinux howto - that will be
> the one that tells you to mount /selinux and doesn't mention the 'login'
> package.
>
> Note: When installing the packages it is best to do one big apt-get line
> rather than one at a time - doing them individually has a nasty habit of
> removing other packages.

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Tom]

On Tue, Apr 06, 2004 at 04:59:37PM -0700, Bill McCarty wrote:
> I'm trying to follow the trail for installing SELinux on Debian unstable, 
> as helpfully documented by Dave Gilbert (see below). Thanks, Dave!

Those are for woody, not unstable. Look at my site for apt sources for
the other distros (http://selinux.lemuria.org)


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Hi Tom,

Tausend Dank!

--On Wednesday, April 07, 2004 7:54 AM +0200 Tom <tom@lemuria.org> wrote:

> Those are for woody, not unstable. Look at my site for apt sources for
> the other distros (http://selinux.lemuria.org)

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Hi Tom and all,

--On Wednesday, April 07, 2004 7:54 AM +0200 Tom <tom@lemuria.org> wrote:

> Those are for woody, not unstable. Look at my site for apt sources for
> the other distros (http://selinux.lemuria.org)

I ditched my not-quite-right Linux 2.4 installation of SELinux and had a go 
at at Linux 2.6 installation under Debian Sid, created by following Tom's 
excellent instructions at <http://selinux.lemuria.org/install-2.6.html>.

However, I ran into a snag. Sid's SSH package has been updated to require 
libpam-runtime 0.76-14 or greater, and the latest libpam-runtime having 
SELinux mods is only 0.76-13.

Although I was once familiar with Debian, I no longer know my way around 
it. Is there a way to instruct apt-get to ignore such a package dependency? 
I haven't been able to find an appropriate option in the man pages. I 
suppose that I could manually download the SSH package and install it via 
dpkg, which has a --force option. Is that the way to go?

Cheers,

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Tom]

On Thu, Apr 08, 2004 at 10:23:19PM -0700, Bill McCarty wrote:
> However, I ran into a snag. Sid's SSH package has been updated to require 
> libpam-runtime 0.76-14 or greater, and the latest libpam-runtime having 
> SELinux mods is only 0.76-13.
> 
> Although I was once familiar with Debian, I no longer know my way around 
> it. Is there a way to instruct apt-get to ignore such a package dependency? 
> I haven't been able to find an appropriate option in the man pages. I 
> suppose that I could manually download the SSH package and install it via 
> dpkg, which has a --force option. Is that the way to go?

Yes. Just to be sure I usually keep a full copy of the package archive
locally (just the SE progs) and then do something like dpkg -i * after
every upgrade.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Milan P. Stanic]

On Wed, Apr 07, 2004 at 07:54:06AM +0200, Tom wrote:
> On Tue, Apr 06, 2004 at 04:59:37PM -0700, Bill McCarty wrote:
> > I'm trying to follow the trail for installing SELinux on Debian unstable, 
> > as helpfully documented by Dave Gilbert (see below). Thanks, Dave!
> 
> Those are for woody, not unstable. Look at my site for apt sources for
> the other distros (http://selinux.lemuria.org)

Maybe you could look at my backports from debian unstable to woody
at http://www.rns-nis.co.yu/~mps/ or with apt:
deb http://www.rns-nis.co.yu/~mps selinux/

I backported it with the help from Russell Coker, and  tested it only
under UML with 2.6.4 kernel.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Hi Milan,

--On Friday, April 09, 2004 10:43 PM +0200 "Milan P. Stanic" 
<mps@rns-nis.co.yu> wrote:

> Maybe you could look at my backports from debian unstable to woody
> at http://www.rns-nis.co.yu/~mps/ or with apt:
> deb http://www.rns-nis.co.yu/~mps selinux/
>
> I backported it with the help from Russell Coker, and  tested it only
> under UML with 2.6.4 kernel.

I gave it a go; but dpkg reports that libselinux1 depends on libattr1 >= 
2.4.4-1, which is not part of Woody. Did I take a wrong turn?

Cheers,

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Milan P. Stanic]

On Sat, Apr 10, 2004 at 08:38:29PM -0700, Bill McCarty wrote:
> I gave it a go; but dpkg reports that libselinux1 depends on libattr1 >= 
> 2.4.4-1, which is not part of Woody. Did I take a wrong turn?

Oh, sorry. I forgot to note that it depends on libattr1 and attr which
can be downloaded from http://www.backports.org/

In my original announce to debian-security I mentioned that, but here
I made a mistake. Sorry for inconvenience.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Hi Milan,

--On Sunday, April 11, 2004 12:18 PM +0200 "Milan P. Stanic" 
<mps@rns-nis.co.yu> wrote:

> Oh, sorry. I forgot to note that it depends on libattr1 and attr which
> can be downloaded from http://www.backports.org/

Ah, I see! I'll give that a try <g>. Thanks for the pointer.

Cheers,

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Peter Gervai]

On Tue, Apr 06, 2004 at 04:59:37PM -0700, Bill McCarty wrote:

> However, I'm having difficulty with the Selinux-policy-default package, 
> which Dselect complains is not compatible with Policycoreutils. I plan to 
> start over with a very minimal Debian installation on the hypothesis that 
> one or more of the SELinux package versions has been obsoleted by a 
> non-SELinux package. Can anyone offer other suggestions for installing 
> SELinux under Debian, whether stable or unstable?

Use sid and add to apt/sources.list to the bottom:
deb http://www.coker.com.au/newselinux ./

Check whether every essentials (ssh, login, pam) are selinux versions and
not the plain ones. Sometimes they're a little behind, and debian standard
versions rush in and "upgrade" 'em. :)

Works here.

Peter

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Bill McCarty]

Thanks, Pete. I think that the upgrades you mention are the root of the 
problem. I have finally ended up with a working configuration. The last 
ditch stand was needing policy.15 rather than policy.16. But, my procedure 
is still way messy. I plan to start over. If I come up with something clear 
that works, I'll share <g>.

Cheers,

--On Wednesday, April 07, 2004 9:55 AM +0200 Peter Gervai <grin@tolna.net> 
wrote:

> Use sid and add to apt/sources.list to the bottom:
> deb http://www.coker.com.au/newselinux ./
>
> Check whether every essentials (ssh, login, pam) are selinux versions and
> not the plain ones. Sometimes they're a little behind, and debian standard
> versions rush in and "upgrade" 'em. :)

---------------------------------------------------
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Koen Vervloesem]

> Thanks, Pete. I think that the upgrades you mention are the root of 
> the problem. I have finally ended up with a working configuration. The 
> last ditch stand was needing policy.15 rather than policy.16. But, my 
> procedure is still way messy. I plan to start over. If I come up with 
> something clear that works, I'll share <g>.

I will be happy when you find a configuration that works. I have tried 
it and didn't succeed.

Koen


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Problems finding working kernel/user land combination

[Tomas Hoger]

On Wed, Apr 07, 2004 at 09:55:19AM +0200, Peter Gervai wrote:
> On Tue, Apr 06, 2004 at 04:59:37PM -0700, Bill McCarty wrote:
> 
> > However, I'm having difficulty with the Selinux-policy-default package, 
> > which Dselect complains is not compatible with Policycoreutils. I plan to 
> > start over with a very minimal Debian installation on the hypothesis that 
> > one or more of the SELinux package versions has been obsoleted by a 
> > non-SELinux package. Can anyone offer other suggestions for installing 
> > SELinux under Debian, whether stable or unstable?
> 
> Use sid and add to apt/sources.list to the bottom:
> deb http://www.coker.com.au/newselinux ./
> 
> Check whether every essentials (ssh, login, pam) are selinux versions and
> not the plain ones. Sometimes they're a little behind, and debian standard
> versions rush in and "upgrade" 'em. :)

If you put this:

Package: *
Pin: release o=etbe
Pin-Priority: 1001

into /etc/apt/preferences, apt will keep Russell's packages and will never
replace them with newer ones from main Debian archive (actually, if you
already have newer version installed, apt will downgrade those packages to
version available from Russell's repository ;).  See 'man apt_preferences'
for more info.

th.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.