From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: russell@coker.com.au, SE-Linux <selinux@tycho.nsa.gov>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Chad Sellers <csellers@tresys.com>,
Karl MacMillan <kmacmillan@tresys.com>
Subject: Re: Debian SE Linux status
Date: Fri, 28 Mar 2008 08:56:16 -0400 [thread overview]
Message-ID: <47ECEAF0.4090304@manicmethod.com> (raw)
In-Reply-To: <1206708790.3302.414.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Fri, 2008-03-28 at 11:06 +1100, Russell Coker wrote:
>
>> http://etbe.coker.com.au/2008/03/28/debian-se-linux-status/
>>
>> Those of you who don't read Planet SE Linux but who are interested in Debian
>> may want to read the above.
>>
>
> Regarding the mismatch in policy version between your domU vs. dom0, you
> should be able to build older policy versions via the config setting
> in /etc/selinux/semanage.conf (modular build) or via the OUTPUT_POLICY=
> setting in build.conf, overridable on the make command line (monolithic
> build).
>
> Or you could install newer selinux core userland in your dom0 such that
> it can read and downgrade the latest policy to the one supported by your
> kernel (libselinux policy load logic will convert a newer policy to an
> older one at load time for you).
>
> Agree that converting between non-MLS and MLS/MCS is very painful at
> present. Part of that we can fix (inappropriate dependencies in
> semanage/seobject.py that should be querying the policy store via
> libsemanage/libsepol rather than checking the running policy), and part
> we cannot (still won't be able to switch the kind of policy at policy
> reload in the kernel). I'd actually prefer that we just always enable
> the MLS engine and field for simplification, presenting the same
> experience to all users, and ensuring that we are all testing the same
> code paths. I don't know how others feel about that though - I know
> that Gentoo has historically not enabled MCS/MLS, and that upstream
> refpolicy still defaults to not enabling it (standard).
>
> I'm not sure why MLS support significantly increases policy build time
> though.
>
Also note that the default (and only) policy on Ubuntu is non-mls.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-03-28 12:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-28 0:06 Debian SE Linux status Russell Coker
2008-03-28 12:53 ` Stephen Smalley
2008-03-28 12:56 ` Joshua Brindle [this message]
2008-03-28 12:59 ` Stephen Smalley
2008-03-28 13:36 ` James Carter
2008-03-28 13:51 ` Stephen Smalley
2008-03-28 14:32 ` James Carter
2008-03-28 15:19 ` Stephen Smalley
2008-03-29 1:30 ` Russell Coker
2008-03-29 0:59 ` Russell Coker
2008-03-29 1:16 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47ECEAF0.4090304@manicmethod.com \
--to=method@manicmethod.com \
--cc=cpebenito@tresys.com \
--cc=csellers@tresys.com \
--cc=kmacmillan@tresys.com \
--cc=russell@coker.com.au \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.