Getting started with SELinux and Slackware

Getting started with SELinux and Slackware

[Lee Lowder]

I am using Slackware 10.2 with kernel 2.6.13.2, and am wanting to get 
going with SELinux.  I know that Timothy Wood had made some packages in 
the past, but his site (as listed on the SELinux for Distrubtions page) 
gives a 403 error.

I don't mind installing it all myself, but I am not sure where to start. 
  I do know I will need PAM, as Slackware does not include it by default.

If someone could point me to some info to help guide me through this, or 
provide such info, I would greatly appreciate it.  Thank you.

FriedBob

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Russell Coker]

On Thursday 22 September 2005 17:25, Lee Lowder <friedbob@sbcglobal.net> 
wrote:
> I don't mind installing it all myself, but I am not sure where to start.
>   I do know I will need PAM, as Slackware does not include it by default.

If Slackware doesn't include PAM then it will be quite a lot of work to add 
PAM support to all necessary applications.

It would probably be easier to modify the policy to remove *_chkpwd_t and 
grant every daemon that needs to verify a password read access to 
shadow_t:file.

Why do you want to work on Slackware?  It seems to be a regular occurrance 
that someone starts work on Slackware SE Linux support, their work doesn't 
get merged into the Slackware distribution, and then it gets discarded.

While Debian SE Linux support isn't in the greatest shape at the moment the 
changes are getting merged into the main packages so any work you do won't 
get wasted.

Of course you could just use Fedora and have it all work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Stephen Smalley]

On Thu, 2005-09-22 at 02:25 -0500, Lee Lowder wrote:
> I am using Slackware 10.2 with kernel 2.6.13.2, and am wanting to get 
> going with SELinux.  I know that Timothy Wood had made some packages in 
> the past, but his site (as listed on the SELinux for Distrubtions page) 
> gives a 403 error.

Yes, looks like the old URL is dead.  But looking at his top-level site
(which redirects to his blog now), I see a reference to
ftp://ftp.diyab.net/selinux/ as the new location for his Slackware
selinux packages.  Looks a little dated (based off the 9 March 2005
release of SELinux).

> I don't mind installing it all myself, but I am not sure where to start. 
>   I do know I will need PAM, as Slackware does not include it by default.

SELinux doesn't strictly require the use of PAM; you can port it to
Slackware without necessarily converting to PAM.  Using SELinux without
PAM (and pam_selinux) just requires policy modifications to allow direct
program reading of /etc/shadow and direct patching of login.
pam_selinux was actually introduced by Red Hat when they integrated
SELinux into Fedora Core; prior to that, login was directly patched for
SELinux.  So an alternative path is to resurrect the old login patch for
SELinux and adjust policy accordingly.

> If someone could point me to some info to help guide me through this, or 
> provide such info, I would greatly appreciate it.  Thank you.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Lee Lowder]

Russell Coker wrote:

> 
> If Slackware doesn't include PAM then it will be quite a lot of work to add 
> PAM support to all necessary applications.
> 

Last time I tried messing with SELinux on Slack, I was told that it 
would be easier to install PAM than to modify SELinux stuff to not use it.

> It would probably be easier to modify the policy to remove *_chkpwd_t and 
> grant every daemon that needs to verify a password read access to 
> shadow_t:file.

That does not seem too difficult or complicated, so I will give that a go.

> 
> Why do you want to work on Slackware?  It seems to be a regular occurrance 
> that someone starts work on Slackware SE Linux support, their work doesn't 
> get merged into the Slackware distribution, and then it gets discarded.

Slackware is the distro I use, and have used for years.  I know it and 
amcomfortable with it.  the thought of asking Pat V to merge it never 
crossed my mind, actually.  I'm doing this because it was something I 
wanted to play with and as a learning experience.

> 
> While Debian SE Linux support isn't in the greatest shape at the moment the 
> changes are getting merged into the main packages so any work you do won't 
> get wasted.
> 
> Of course you could just use Fedora and have it all work.
> 
Would the "it just works" thing apply to CentOS as well?  Or does RHEL 
not have the same level of SELinux support as Fedora?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Timothy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All of the modified slackware sources that I used to build that old
release are available on that ftp site (ftp.diyab.net/selinux).  I
haven't had time to update any of it in a while but it generally just
requires checking the newer patches and rebuilding the tgz from the
slackbuild script.

I included PAM because I think it has good advantages so all of the
packages I built include PAM support.  Not sure what would be involved
in building without PAM.  Most likely it just requires removing the
configure flags to enable PAM from the build scripts.

I'll be more than happy to help you out if you want.

Timothy,

Stephen Smalley wrote:
> On Thu, 2005-09-22 at 02:25 -0500, Lee Lowder wrote:
> 
>>I am using Slackware 10.2 with kernel 2.6.13.2, and am wanting to get 
>>going with SELinux.  I know that Timothy Wood had made some packages in 
>>the past, but his site (as listed on the SELinux for Distrubtions page) 
>>gives a 403 error.
> 
> 
> Yes, looks like the old URL is dead.  But looking at his top-level site
> (which redirects to his blog now), I see a reference to
> ftp://ftp.diyab.net/selinux/ as the new location for his Slackware
> selinux packages.  Looks a little dated (based off the 9 March 2005
> release of SELinux).
> 
> 
>>I don't mind installing it all myself, but I am not sure where to start. 
>>  I do know I will need PAM, as Slackware does not include it by default.
> 
> 
> SELinux doesn't strictly require the use of PAM; you can port it to
> Slackware without necessarily converting to PAM.  Using SELinux without
> PAM (and pam_selinux) just requires policy modifications to allow direct
> program reading of /etc/shadow and direct patching of login.
> pam_selinux was actually introduced by Red Hat when they integrated
> SELinux into Fedora Core; prior to that, login was directly patched for
> SELinux.  So an alternative path is to resurrect the old login patch for
> SELinux and adjust policy accordingly.
> 
> 
>>If someone could point me to some info to help guide me through this, or 
>>provide such info, I would greatly appreciate it.  Thank you.
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDMvG1SYq2KfPEK/gRAmhZAJwL2uR8LksFu8GvUPm7Xm11N5itqgCfZ1Lc
MI5lEc0AbeHraiwh7BB+hFM=
=2pzw
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Lyle Sigurdson]

I've been working on getting SELinux to work on Slackware 
without PAM and with just one patch per package (that is, not 
relying on all the patches that are applied before the SELinux 
patch.)  I've got a bunch of packages made but not a working 
system yet.

I'm still in the early learning phases with regards to SELinux, 
but here a few thoughts:

- SELinux is one of the most important things to ever hit Linux
  (in my opinion.)  It would be unfortunate if Slackware never
  gets in on it.

- I doubt SELinux will be merged into the distribution if PAM is
  part of it, because the Slackware folks are pretty anti-PAM.

- I doubt SELinux will be merged into the distribution if it 
  requires a lot of patches, because Slackware's packages are
  built mostly straight from the tarballs without patching (a
  whole bunch of ./configure --with-selinux would be fine.)

   Lyle Sigurdson.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Timothy]

> I've been working on getting SELinux to work on Slackware 
> without PAM and with just one patch per package (that is, not 
> relying on all the patches that are applied before the SELinux 
> patch.)  I've got a bunch of packages made but not a working 
> system yet.

I had considered this but I did not see anything but advantages to using PAM.
 The one main hurdle would be recompiling things in slackware to include PAM
support but most of the base things you would need to recompile get recompiled
to include selinux support anyhow.

> 
> I'm still in the early learning phases with regards to SELinux, 
> but here a few thoughts:
> 
> - SELinux is one of the most important things to ever hit Linux
>   (in my opinion.)  It would be unfortunate if Slackware never
>   gets in on it.
> 
> - I doubt SELinux will be merged into the distribution if PAM is
>   part of it, because the Slackware folks are pretty anti-PAM.

Pat himself is anti-PAM from what I've heard, although I do not know why, so I
doubt it will make it in to slackware.

> 
> - I doubt SELinux will be merged into the distribution if it 
>   requires a lot of patches, because Slackware's packages are
>   built mostly straight from the tarballs without patching (a
>   whole bunch of ./configure --with-selinux would be fine.)
> 
>    Lyle Sigurdson.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without 
> quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Stephen Smalley]

On Thu, 2005-09-22 at 16:22 -0500, Lyle Sigurdson wrote:
> - I doubt SELinux will be merged into the distribution if it 
>   requires a lot of patches, because Slackware's packages are
>   built mostly straight from the tarballs without patching (a
>   whole bunch of ./configure --with-selinux would be fine.)

We'd be glad to see the SELinux userland patches get upstreamed rather
than just staying as patches in the individual distro packages. 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Martin J. Green]

> From: Timothy <timothy_at_diyab.net>
> Date: Thu, 22 Sep 2005 14:02:29 -0400
>
> All of the modified slackware sources that I used to build that old release are available on that ftp site (ftp.diyab.net/selinux). I haven't had time to update any of it > in a while but it generally just requires checking the newer patches and rebuilding the tgz from the slackbuild script.
> I included PAM because I think it has good advantages so all of the packages I built include PAM support. Not sure what would be involved in building without PAM. Most >likely it just requires removing the configure flags to enable PAM from the build scripts.
> I'll be more than happy to help you out if you want.
> Timothy


I appreciate this is an old post, but I'm in the process of updating your build scripts for the latest selinux, however I'm also looking for the old login patch so I don't have to use PAM.

I would of course be happy to make the build scripts available (I'll also build for i486 and upload to linuxpackages.net when I get time - I'm building for p4 & x86_64 for myself).

Can anyone point me in the right direction to find the necessary patch(es)? I've found some FC4 patches in the fedora CVS tree that don't seem to refer to PAM, but not sure when PAM was introduced to redhat/fedora, so not quite sure what I'm looking for. I want to modify slack as little as possible.

Martin


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Stephen Smalley]

On Thu, 2007-12-20 at 13:40 +0000, Martin J. Green wrote:
> > From: Timothy <timothy_at_diyab.net>
> > Date: Thu, 22 Sep 2005 14:02:29 -0400
> >
> > All of the modified slackware sources that I used to build that old release are available on that ftp site (ftp.diyab.net/selinux). I haven't had time to update any of it > in a while but it generally just requires checking the newer patches and rebuilding the tgz from the slackbuild script.
> > I included PAM because I think it has good advantages so all of the packages I built include PAM support. Not sure what would be involved in building without PAM. Most >likely it just requires removing the configure flags to enable PAM from the build scripts.
> > I'll be more than happy to help you out if you want.
> > Timothy
> 
> 
> I appreciate this is an old post, but I'm in the process of updating your build scripts for the latest selinux, however I'm also looking for the old login patch so I don't have to use PAM.
> 
> I would of course be happy to make the build scripts available (I'll also build for i486 and upload to linuxpackages.net when I get time - I'm building for p4 & x86_64 for myself).
> 
> Can anyone point me in the right direction to find the necessary patch(es)? I've found some FC4 patches in the fedora CVS tree that don't seem to refer to PAM, but not sure when PAM was introduced to redhat/fedora, so not quite sure what I'm looking for. I want to modify slack as little as possible.

The switch from using a direct patch to login to using pam_selinux
happened back in 2003, so I think Fedora might have always used
pam_selinux (since Fedora first included SELinux in Fedora Core 2, which
came out later).  You can tell by whether or not the
util-linux-selinux.patch included a diff to login.c or not.

Of course, pam_selinux has undergone a lot of changes since that time,
so you may want to consider just back porting its logic into login.c,
removing its pam'isms.

google on util-linux-selinux.patch found a copy that still had the
login.c mods at:
http://mirror.caoslinux.org/cAos-1/creation/util-linux-2.11y-31.1/SOURCES/util-linux-selinux.patch
among other places.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Martin J. Green]

It looks like a number of packages now have patches upstreamed (--with-selinux) - any idea how up to date/complete they are? (Openssh, util-linux & shadow all have --with-selinux configure flags).

I'm seeing this error:

sftp.c: In function 'parse_dispatch_command':/usr/lib/gcc/i486-slackware-linux/4.2.3/../../../libselinux.a(load_policy.o): In function `selinux_mkload_policy':
load_policy.c:(.text+0xbf): undefined reference to `sepol_policy_kern_vers_max'
load_policy.c:(.text+0x114): undefined reference to `sepol_policy_kern_vers_min'
load_policy.c:(.text+0x212): undefined reference to `sepol_policy_file_create'
load_policy.c:(.text+0x229): undefined reference to `sepol_policydb_create'
load_policy.c:(.text+0x256): undefined reference to `sepol_policy_file_set_mem'
load_policy.c:(.text+0x270): undefined reference to `sepol_policydb_read'
load_policy.c:(.text+0x28f): undefined reference to `sepol_policydb_set_vers'
load_policy.c:(.text+0x2c0): undefined reference to `sepol_policydb_to_image'
load_policy.c:(.text+0x2d8): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x2e7): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x328): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x337): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x373): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x382): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x3d8): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x473): undefined reference to `sepol_genbools_array'
load_policy.c:(.text+0x4f5): undefined reference to `sepol_genusers'
load_policy.c:(.text+0x534): undefined reference to `sepol_genbools'
collect2: ld returned 1 exit status
make: *** [sshd] Error 1
make: *** Waiting for unfinished jobs....

sftp.c:1031: warning: 'n_arg' may be used uninitialized in this function
sftp.c:1030: warning: 'iflag' may be used uninitialized in this function
sftp.c:1030: warning: 'lflag' may be used uninitialized in this function
sftp.c:1030: warning: 'pflag' may be used uninitialized in this function

Any idea what I'm missing?

Martin

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Martin J. Green
Sent: 11 March 2008 03:28
To: selinux@tycho.nsa.gov
Subject: RE: Re: Getting started with SELinux and Slackware

I grabbed a copy of from http://www.filewatcher.com/p/util-linux-2.11y-31.2.src.rpm.1552730/util-linux-selinux.patch.html and had a go at patching it against the 2.12r code to see what was going to patch/what needed fixing, and it appears 2.12r already has some selinux code/support included? (the 2.11y patch creates two files, amongst other things, called selinux_utils.c and .h - these already exist) The MCONFIG file has an option to enable selinux - it appears the patch is already integrated?

Looking at fedora sources, it looks like they only patch util-linux for pam, not selinux, so this would seem to confirm this is the case (though looking at Timothy Wood's patchset, he's also adding the use_selinux define to MCONFIG).

So I don't need to do anything to util-linux except enable selinux on compile?

Login would come from Shadow in any event, so probably need to be looking there...

M

From: Stephen Smalley <sds@tycho.nsa.gov>

The switch from using a direct patch to login to using pam_selinux
happened back in 2003, so I think Fedora might have always used
pam_selinux (since Fedora first included SELinux in Fedora Core 2, which
came out later). You can tell by whether or not the
util-linux-selinux.patch included a diff to login.c or not.


Of course, pam_selinux has undergone a lot of changes since that time,
so you may want to consider just back porting its logic into login.c,
removing its pam'isms.


google on util-linux-selinux.patch found a copy that still had the
login.c mods at:
http://mirror.caoslinux.org/cAos-1/creation/util-linux-2.11y-31.1/SOURCES/util-linux-selinux.patch
among other places.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Stephen Smalley]

On Tue, 2008-03-11 at 08:22 +0000, Martin J. Green wrote:
> It looks like a number of packages now have patches upstreamed (--with-selinux) - any idea how up to date/complete they are? (Openssh, util-linux & shadow all have --with-selinux configure flags).
> 
> I'm seeing this error:
> 
> sftp.c: In function 'parse_dispatch_command':/usr/lib/gcc/i486-slackware-linux/4.2.3/../../../libselinux.a(load_policy.o): In function `selinux_mkload_policy':
> load_policy.c:(.text+0xbf): undefined reference to `sepol_policy_kern_vers_max'

Why are you linking against libselinux.a (static) rather than using
shared libraries?

You need to link with libsepol too.

> load_policy.c:(.text+0x114): undefined reference to `sepol_policy_kern_vers_min'
> load_policy.c:(.text+0x212): undefined reference to `sepol_policy_file_create'
> load_policy.c:(.text+0x229): undefined reference to `sepol_policydb_create'
> load_policy.c:(.text+0x256): undefined reference to `sepol_policy_file_set_mem'
> load_policy.c:(.text+0x270): undefined reference to `sepol_policydb_read'
> load_policy.c:(.text+0x28f): undefined reference to `sepol_policydb_set_vers'
> load_policy.c:(.text+0x2c0): undefined reference to `sepol_policydb_to_image'
> load_policy.c:(.text+0x2d8): undefined reference to `sepol_policy_file_free'
> load_policy.c:(.text+0x2e7): undefined reference to `sepol_policydb_free'
> load_policy.c:(.text+0x328): undefined reference to `sepol_policy_file_free'
> load_policy.c:(.text+0x337): undefined reference to `sepol_policydb_free'
> load_policy.c:(.text+0x373): undefined reference to `sepol_policy_file_free'
> load_policy.c:(.text+0x382): undefined reference to `sepol_policydb_free'
> load_policy.c:(.text+0x3d8): undefined reference to `sepol_policy_file_free'
> load_policy.c:(.text+0x473): undefined reference to `sepol_genbools_array'
> load_policy.c:(.text+0x4f5): undefined reference to `sepol_genusers'
> load_policy.c:(.text+0x534): undefined reference to `sepol_genbools'
> collect2: ld returned 1 exit status
> make: *** [sshd] Error 1
> make: *** Waiting for unfinished jobs....
> 
> sftp.c:1031: warning: 'n_arg' may be used uninitialized in this function
> sftp.c:1030: warning: 'iflag' may be used uninitialized in this function
> sftp.c:1030: warning: 'lflag' may be used uninitialized in this function
> sftp.c:1030: warning: 'pflag' may be used uninitialized in this function
> 
> Any idea what I'm missing?
> 
> Martin
> 
> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Martin J. Green
> Sent: 11 March 2008 03:28
> To: selinux@tycho.nsa.gov
> Subject: RE: Re: Getting started with SELinux and Slackware
> 
> I grabbed a copy of from http://www.filewatcher.com/p/util-linux-2.11y-31.2.src.rpm.1552730/util-linux-selinux.patch.html and had a go at patching it against the 2.12r code to see what was going to patch/what needed fixing, and it appears 2.12r already has some selinux code/support included? (the 2.11y patch creates two files, amongst other things, called selinux_utils.c and .h - these already exist) The MCONFIG file has an option to enable selinux - it appears the patch is already integrated?
> 
> Looking at fedora sources, it looks like they only patch util-linux for pam, not selinux, so this would seem to confirm this is the case (though looking at Timothy Wood's patchset, he's also adding the use_selinux define to MCONFIG).
> 
> So I don't need to do anything to util-linux except enable selinux on compile?
> 
> Login would come from Shadow in any event, so probably need to be looking there...
> 
> M
> 
> From: Stephen Smalley <sds@tycho.nsa.gov>
> 
> The switch from using a direct patch to login to using pam_selinux
> happened back in 2003, so I think Fedora might have always used
> pam_selinux (since Fedora first included SELinux in Fedora Core 2, which
> came out later). You can tell by whether or not the
> util-linux-selinux.patch included a diff to login.c or not.
> 
> 
> Of course, pam_selinux has undergone a lot of changes since that time,
> so you may want to consider just back porting its logic into login.c,
> removing its pam'isms.
> 
> 
> google on util-linux-selinux.patch found a copy that still had the
> login.c mods at:
> http://mirror.caoslinux.org/cAos-1/creation/util-linux-2.11y-31.1/SOURCES/util-linux-selinux.patch
> among other places.
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Getting started with SELinux and Slackware

[Martin J. Green]

Solved the compile issues, I symlinked the libs in /lib to /usr/lib - but should I actually have them in /usr/lib instead? (I followed Tim Wood's scripts which used /lib).

The buildscripts for slackware at http://www.firstinternetservices.com/selinux are complete & working for the base selinux packages for the new version (I'm working on userland now - will post to the same when I'm done)

I take it since this is linking against sepol its probably safe to assume that the patch upstreamed into ssh is relatively up-to-date? (util-linux had a similar compile problem so the same should be true)

Martin

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: 11 March 2008 18:33
To: Martin J. Green
Subject: RE: Getting started with SELinux and Slackware


On Tue, 2008-03-11 at 18:14 +0000, Martin J. Green wrote:
> That particular example was just openssh with --with-selinux added to normal options (none of which include disabling shared or enabling static). I've see the same error when compiling checkpolicy and util-linux though

Possibly your environment doesn't support shared libs or you don't have
the shared libraries installed first?

You need to build and install libsepol.

Older versions of libselinux didn't have the libsepol dependency, so
older versions of the openssh selinux patch wouldn't have linked against
it either.

--
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Getting started with SELinux and Slackware

[Russell Coker]

On Wednesday 12 March 2008 02:33, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> As far as login goes, Fedora doesn't patch it since they use
> pam_selinux.  If you can't use pam_selinux, then just look to see if
> login.c calls setexeccon() anywhere - it would need to do that to set up
> the user security context for the shell.

I recommend converting a Slackware system to use PAM.

If the same login is used in Slackware as in Debian (there are several login 
programs to choose from) then the code is quite hairy and it's easy to make a 
mistake.

Back in 2002 I released a login package for Debian which allowed a user to 
login with the wrong SE Linux context due to a mistake when patching login 
(the Debian login is not the same as the Red Hat login which the patch was 
originall written for).

Even sshd (which has a high code quality) is not something that's easy to 
modify.

Taking the PAM source from Debian or Fedora and building it on Slackware 
should not be that difficult and will probably give a better result than 
doing some entirely new development.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Getting started with SELinux and Slackware

[Stephen Smalley]

On Tue, 2008-03-11 at 20:35 +0000, Martin J. Green wrote:
> Solved the compile issues, I symlinked the libs in /lib to /usr/lib -
> but should I actually have them in /usr/lib instead? (I followed Tim
> Wood's scripts which used /lib).

Fedora has the following layout (example for libselinux, other libraries
are the same way):
/lib/libselinux.so.1 - the shared library
/usr/lib/libselinux.a - the static library
/usr/lib/libselinux.so - symlink to /lib/libselinux.so.1

> 
> The buildscripts for slackware at http://www.firstinternetservices.com/selinux are complete & working for the base selinux packages for the new version (I'm working on userland now - will post to the same when I'm done)
> 
> I take it since this is linking against sepol its probably safe to assume that the patch upstreamed into ssh is relatively up-to-date? (util-linux had a similar compile problem so the same should be true)

Look for a call to getseuserbyname() in it.

Changes that are still patches in the Fedora package against openssh
4.7p1 include:
- support for specifying desired role and level rather than always using
the user's default context,
- LSPP-related changes (MLS/audit).

Neither of which are critical unless you are specifically targeting LSPP
functionality.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.