* State of Debian SELinux
@ 2005-09-17 23:31 Dale Amon
2005-09-18 0:10 ` Jiann-Ming Su
` (2 more replies)
0 siblings, 3 replies; 20+ messages in thread
From: Dale Amon @ 2005-09-17 23:31 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2779 bytes --]
I've set aside the next week to come back to SELinux
and evaluate if it's reached the point where I could
recommmend it for customer sites.
So far Debian SELinux is looking pretty grim, and I'd
like feedback on whether there really is a straight
forward path to install it. By that I mean one with
out a lot of kludges and pain as in the long
(and already obsolete) description of the Debian
install in McCarty's O'Reilly book.
I'm starting from a freshly burned Debian stable
install iso. I do a bog standard install up to
the point where the reboot brings you into aptitude.
I've tried both forks at that point; updating first
in sarge or cancelling.
I change the sources.list to sid and add Russell's
newselinux package line; then I update and
after selecting all the appropriate packages (and
the 2.6.12 kernel) I upgrade.
Problems: One, I have to deselect cups in the
policy default because it has an error that causes
the install to fail.
But even without it no go. I assumed I had to
reboot to get the selinuxfs, so I did that. But
the boot complains about it and a manual mount /selinuxfs
claims the kernel doesn't know what it is.
I checked the config; looks like everything associated
with selinux (and with xattr's on various file systems)
is selected.
The package will still not finish installing. The
error is:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
libsepol.expand_abtab_insert: Type conflict!
Out of memory - unable to check assertions.
Check assertions failed.
I could fiddle a lot more, but that would be counter
productive: this time around I'm looking for a
reliable and straightforward install, not just
a bit of play time hacking.
Is there an up to date description of the Debian
install? McCarty's book is *way* out of date; I
could not find a current install procedure on
Russell's site, although such might be buried in
one of his many find tutorials.
Is there a current canonical 1-2-3 procedure for
going from the current debian iso to a fully
installed SELinux system? I don't mind if I have
to fiddle with policy afterwards, but I do want
the comfort of knowing I've got a reliable means
of installing and updating (or talking a customer
through it) if I am to consider using it for real.
Of course the fact that sid seems to be required
is a *huge* negative to start with...
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-17 23:31 State of Debian SELinux Dale Amon
@ 2005-09-18 0:10 ` Jiann-Ming Su
2005-09-18 9:47 ` Dale Amon
2005-09-18 0:15 ` Luke Kenneth Casson Leighton
2005-09-19 12:27 ` Stephen Smalley
2 siblings, 1 reply; 20+ messages in thread
From: Jiann-Ming Su @ 2005-09-18 0:10 UTC (permalink / raw)
To: selinux
On 9/17/05, Dale Amon <amon@vnl.com> wrote:
> So far Debian SELinux is looking pretty grim, and I'd
> like feedback on whether there really is a straight
> forward path to install it. By that I mean one with
> out a lot of kludges and pain as in the long
> (and already obsolete) description of the Debian
> install in McCarty's O'Reilly book.
>
In case you haven't seen these:
https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266
https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266
--
Jiann-Ming Su
"I have to decide between two equally frightening options.
If I wanted to do that, I'd vote." --Duckman
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-17 23:31 State of Debian SELinux Dale Amon
2005-09-18 0:10 ` Jiann-Ming Su
@ 2005-09-18 0:15 ` Luke Kenneth Casson Leighton
2005-09-18 9:58 ` Dale Amon
2005-09-19 12:27 ` Stephen Smalley
2 siblings, 1 reply; 20+ messages in thread
From: Luke Kenneth Casson Leighton @ 2005-09-18 0:15 UTC (permalink / raw)
To: Dale Amon; +Cc: selinux
dale, hi,
i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in
"unstable".
it was painful, took about four to five months, and it worked.
the reason why it took so long was because i set an extremely high entry
requirement: a _useful_ kde system. i.e. not one where you have to run
some stupid command in order to get your usb devices back, undamaged.
that meant using hal, which meant using udev, which meant using shmfs
which meant a kernel patch to provide xattrs.
most of the stuff i did or highlighted is slowly filtering its way in,
mostly post-sarge-release as that held everything up and i mean
everything (libselinux was "optional" package and you cannot have
coreutils - a required package depends on an "optional" package.
therefore the maintainer of coreutils refused to even look at selinux
patches until post-sarge.).
you will NOT get sarge to work [as-is].
you WILL need libselinux1 for a start and because of the freeze
some 18 months ago libselinux1 did NOT make it into sarge.
manoj is the best person to speak to as he has defacto taken over
coordination of the patches etc. required.
you _will_ need the patched version of dpkg - the one that
sets selinux file contexts on files as it unpacks them - just
like rpm does.
you _will_ need to add /.dev to the list of files on which selinux
contexts are set, because if /.dev ever gets damaged (on the "original"
filesystem before udev is mounted and the "original" /dev moved to
/.dev) you WILL not be able to boot because /sbin/init relies on
/dev/stuff BEFORE udev runs.
basically to solve this one (properly) udev needs to be
integrated into debian's initrd (just like it is in redhat's
kernels) - or you simply need to run with a kernel that doesn't
use an initrd (just like you do with gentoo) which means not use
the standard debian kernels because of the risk of non-boot on file
system corruption, mkfs.ext2 removing xattrs on /dev/*.
sorry that's a bit long-winded and probably difficult to
understand but i'm trying to pack stuff in quickly as i remember it -
from several months ago - without time for review of what i've written.
l.
On Sun, Sep 18, 2005 at 12:31:11AM +0100, Dale Amon wrote:
> I've set aside the next week to come back to SELinux
> and evaluate if it's reached the point where I could
> recommmend it for customer sites.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 0:10 ` Jiann-Ming Su
@ 2005-09-18 9:47 ` Dale Amon
0 siblings, 0 replies; 20+ messages in thread
From: Dale Amon @ 2005-09-18 9:47 UTC (permalink / raw)
To: Jiann-Ming Su; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 1351 bytes --]
On Sat, Sep 17, 2005 at 08:10:58PM -0400, Jiann-Ming Su wrote:
> On 9/17/05, Dale Amon <amon@vnl.com> wrote:
> > So far Debian SELinux is looking pretty grim, and I'd
> > like feedback on whether there really is a straight
> > forward path to install it. By that I mean one with
> > out a lot of kludges and pain as in the long
> > (and already obsolete) description of the Debian
> > install in McCarty's O'Reilly book.
> >
>
> In case you haven't seen these:
>
> https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266
> https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266
I'd forgotten about Faye's excellent writing. But
it unfortuneately describes (somewhat) the process
I went through, which was
* install base debian
* add Russ's repository to sources.list
* update
I shouldn't think any of the debian package mods
would come into play at this point as it is prior
to fs labeling that things are bombing out.
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 0:15 ` Luke Kenneth Casson Leighton
@ 2005-09-18 9:58 ` Dale Amon
2005-09-18 10:42 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 20+ messages in thread
From: Dale Amon @ 2005-09-18 9:58 UTC (permalink / raw)
To: Dale Amon, selinux
[-- Attachment #1: Type: text/plain, Size: 2027 bytes --]
On Sun, Sep 18, 2005 at 01:15:12AM +0100, Luke Kenneth Casson Leighton wrote:
> dale, hi,
And hello yourself. I've been a bit scarce on this list lately.
Business has been good for a change... so no playtime. :-)
> i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in
> "unstable".
> it was painful, took about four to five months, and it worked.
Ouch. Well, I'm only interested in getting it up on rack mount
server class machines with no fancy workstation apps on them.
Nothing but LAMP's.
> you will NOT get sarge to work [as-is].
But can you start from the sarge iso and upgrade? Or should I look
at whatever they have as the latest and most bleeding edge "don't
look at me crosseyed or I'll fall over" sid iso?
> you WILL need libselinux1 for a start and because of the freeze
> some 18 months ago libselinux1 did NOT make it into sarge.
I'm picking that up from Russel's repository during the upgrade
and it does install okay.
> you _will_ need the patched version of dpkg - the one that
> sets selinux file contexts on files as it unpacks them - just
> like rpm does.
Yeah, but that shouldn't matter yet: the problems are in the
initial upgrade to SELinux packages so the file system isn't
labeled yet and the kernel is still the base debian one.
> sorry that's a bit long-winded and probably difficult to
> understand but i'm trying to pack stuff in quickly as i remember it -
> from several months ago - without time for review of what i've written.
Oh, that's fine. Many of the items you note will
be time savers. Once I get the initial selinux package
install to work that is...
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 9:58 ` Dale Amon
@ 2005-09-18 10:42 ` Luke Kenneth Casson Leighton
2005-09-18 21:58 ` Dale Amon
0 siblings, 1 reply; 20+ messages in thread
From: Luke Kenneth Casson Leighton @ 2005-09-18 10:42 UTC (permalink / raw)
To: Dale Amon; +Cc: selinux
On Sun, Sep 18, 2005 at 10:58:07AM +0100, Dale Amon wrote:
> On Sun, Sep 18, 2005 at 01:15:12AM +0100, Luke Kenneth Casson Leighton wrote:
> > dale, hi,
>
> And hello yourself. I've been a bit scarce on this list lately.
> Business has been good for a change... so no playtime. :-)
>
> > i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in
> > "unstable".
> > it was painful, took about four to five months, and it worked.
>
> Ouch. Well, I'm only interested in getting it up on rack mount
> server class machines with no fancy workstation apps on them.
> Nothing but LAMP's.
then you would do well to consider gentoo/hardened instead!!
> > you will NOT get sarge to work [as-is].
>
> But can you start from the sarge iso and upgrade?
always.
> > you WILL need libselinux1 for a start and because of the freeze
> > some 18 months ago libselinux1 did NOT make it into sarge.
>
> I'm picking that up from Russel's repository during the upgrade
> and it does install okay.
look for manoj's stuff.
> > you _will_ need the patched version of dpkg - the one that
> > sets selinux file contexts on files as it unpacks them - just
> > like rpm does.
>
> Yeah, but that shouldn't matter yet: the problems are in the
> initial upgrade to SELinux packages so the file system isn't
> labeled yet and the kernel is still the base debian one.
ah, the "bootstrap" problem that i joyously encountered. i found this
to be a sticking point, too.
okay, you need to reboot first with ... damn it's been a while...
selinux=1 enabled=0
_then_ you stand a good chance of being able to [build and] relabel.
it's something to do with failures in the make process which i never
got to the bottom of - probably some of the libselinux / sepol
libraries detecting that selinux wasn't enabled, and not allowing
the build process to proceed properly.
most people only build and install selinux on already-useable
selinux systems.
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 10:42 ` Luke Kenneth Casson Leighton
@ 2005-09-18 21:58 ` Dale Amon
2005-09-18 22:48 ` Luke Kenneth Casson Leighton
2005-09-23 18:53 ` sswami
0 siblings, 2 replies; 20+ messages in thread
From: Dale Amon @ 2005-09-18 21:58 UTC (permalink / raw)
To: Dale Amon, selinux
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
On Sun, Sep 18, 2005 at 11:42:19AM +0100, Luke Kenneth Casson Leighton wrote:
> On Sun, Sep 18, 2005 at 10:58:07AM +0100, Dale Amon wrote:
> > Ouch. Well, I'm only interested in getting it up on rack mount
> > server class machines with no fancy workstation apps on them.
> > Nothing but LAMP's.
> then you would do well to consider gentoo/hardened instead!!
Not an option. The software driving the active the site was
written specifically for debian and in debian packages. I'd
hate to have to go back to them and say, well, you know those
really neat debian packages I did last year...
> > I'm picking that up from Russel's repository during the upgrade
> > and it does install okay.
>
> look for manoj's stuff.
I will, but just in case, do you have a url?
> okay, you need to reboot first with ... damn it's been a while...
>
> selinux=1 enabled=0
Actually, its enforcing=0. And unfortuneately that doesn't help.
I still get the same error messages as before.
> it's something to do with failures in the make process which i never
> got to the bottom of - probably some of the libselinux / sepol
> libraries detecting that selinux wasn't enabled, and not allowing
> the build process to proceed properly.
There is definitely something I am missing with libsepol because
there is an error about it which means absolutely nothing to me
that causes dselect to give up on installing the default policy.
It also seems to mean nothing to Google so I guess it has not come
up on the mail list either:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
libsepol.expand_avtab_insert: Type conflict!
Out of memory - unable to check assertions.
Check assertions failed.
Highly informative, n'est-ce pas? I can reproduce it manually:
cd /etc/selinux/src/
/usr/bin/checkpolicy
> most people only build and install selinux on already-useable
> selinux systems.
*amon turns to watch a chicken racing an egg across the road...
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 21:58 ` Dale Amon
@ 2005-09-18 22:48 ` Luke Kenneth Casson Leighton
2005-09-19 11:15 ` Dale Amon
2005-09-23 18:53 ` sswami
1 sibling, 1 reply; 20+ messages in thread
From: Luke Kenneth Casson Leighton @ 2005-09-18 22:48 UTC (permalink / raw)
To: Dale Amon; +Cc: selinux
On Sun, Sep 18, 2005 at 10:58:41PM +0100, Dale Amon wrote:
> > selinux=1 enabled=0
>
> Actually, its enforcing=0.
it's been a while :)
> And unfortuneately that doesn't help.
> I still get the same error messages as before.
> > it's something to do with failures in the make process which i never
> > got to the bottom of - probably some of the libselinux / sepol
> > libraries detecting that selinux wasn't enabled, and not allowing
> > the build process to proceed properly.
>
> There is definitely something I am missing with libsepol because
> there is an error about it which means absolutely nothing to me
> that causes dselect to give up on installing the default policy.
dselect? ha! dselect is for wimps.
okay.
describe _exactly_ where you got everything from - what the packages
are, etc. how you did the install (you _should_ ideally be messin with
the latest linux2.6 nsa source code - kernel, library, etc. but hey if
you have found dpkg packages that's cool).
send all info to list.
then hopefully someone will know what's up.
i've no real pressing need to install debian/selinux right now
(as i did last year) otherwise i would try / see what happens.
l.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 22:48 ` Luke Kenneth Casson Leighton
@ 2005-09-19 11:15 ` Dale Amon
2005-09-19 11:56 ` Luke Kenneth Casson Leighton
0 siblings, 1 reply; 20+ messages in thread
From: Dale Amon @ 2005-09-19 11:15 UTC (permalink / raw)
To: Dale Amon, selinux
[-- Attachment #1: Type: text/plain, Size: 33213 bytes --]
On Sun, Sep 18, 2005 at 11:48:50PM +0100, Luke Kenneth Casson Leighton wrote:
> On Sun, Sep 18, 2005 at 10:58:41PM +0100, Dale Amon wrote:
>
> > > selinux=1 enabled=0
> >
> > Actually, its enforcing=0.
>
> it's been a while :)
>
> > And unfortuneately that doesn't help.
> > I still get the same error messages as before.
>
>
> > > it's something to do with failures in the make process which i never
> > > got to the bottom of - probably some of the libselinux / sepol
> > > libraries detecting that selinux wasn't enabled, and not allowing
> > > the build process to proceed properly.
> >
> > There is definitely something I am missing with libsepol because
> > there is an error about it which means absolutely nothing to me
> > that causes dselect to give up on installing the default policy.
>
> dselect? ha! dselect is for wimps.
>
> okay.
>
> describe _exactly_ where you got everything from - what the packages
> are, etc. how you did the install (you _should_ ideally be messin with
> the latest linux2.6 nsa source code - kernel, library, etc. but hey if
> you have found dpkg packages that's cool).
>
> send all info to list.
Okay, you asked for it. First, a fresh install from Debian the 31r0a
sarge i386 net install CD. Take the defaults on pretty much everything
except hostname and partitions. I picked the workstation 3 partition
option. After the reboot, I have tried both doing the immediate
update in aptitude for sarge, or bogging out and editing the
sources.list first. The sources.list file is:
#deb file:///cdrom/ sarge main
deb http://ftp.ie.debian.org/debian/ sid main
deb-src http://ftp.ie.debian.org/debian/ sid main
deb http://www.coker.com.au/newselinux ./
deb http://security.debian.org/ stable/updates main
Then I either apt-get update and upgrade or do the same
in dselect, depending on mood. Result is the same, the error
I described previously.
The set of packages installed at the moment is:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==================================-=====================-============================================
ii adduser 3.67.0 Add and remove users and groups
ii amd64-libs 1.2 Amd64 shared libraries for use on i386/x86_6
ii apt 0.6.41 Advanced front-end for dpkg
ii apt-utils 0.6.41 APT utility programs
ii aptitude 0.2.15.9-6 terminal-based apt frontend
ii at 3.1.9 Delayed job execution and batch processing
ii base-config 2.71 Debian base system configurator
ii base-files 3.1.7 Debian base system miscellaneous files
ii base-passwd 3.5.10 Debian base system master password and group
ii bash 3.0-16 The GNU Bourne Again SHell
ii bc 1.06-17 The GNU bc arbitrary precision calculator la
ii bin86 0.16.14-1.2 16-bit x86 assembler and loader
ii bind9-host 9.3.1-2 Version of 'host' bundled with BIND 9.X
ii binutils 2.16.1cvs20050902-1 The GNU assembler, linker and binary utiliti
ii bison 2.0-2 A parser generator that is compatible with Y
ii bsdmainutils 6.1.2 collection of more utilities from FreeBSD
ii bsdutils 2.12p-7 Basic utilities from 4.4BSD-Lite
ii bwidget 1.7.0-1 A set of extension widgets for Tcl/Tk
ii bzip2 1.0.2-8.1 high-quality block-sorting file compressor -
ii checkpolicy 1.26-1 SELinux policy compiler
ii console-common 0.7.53 Basic infrastructure for text console config
ii console-data 2002.12.04dbs-49 Keymaps, fonts, charset maps, fallback table
ii console-tools 0.2.3dbs-56 Linux console and font utilities
ii coreutils 5.2.1-2.1 The GNU core utilities
ii cpio 2.6-5 GNU cpio -- a program to manage archives of
ii cpp 4.0.1-3 The GNU C preprocessor (cpp)
ii cpp-4.0 4.0.1-7 The GNU C preprocessor
ii cramfsprogs 1.1-6 Tools for CramFs (Compressed ROM File System
ii cron 3.0pl1-91 management of regular background processing
ii dash 0.5.2-7 The Debian Almquist Shell
ii dc 1.06-17 The GNU dc arbitrary precision reverse-polis
ii debconf 1.4.58 Debian configuration management system
ii debconf-i18n 1.4.58 full internationalization support for debcon
ii debconf-utils 1.4.58 debconf utilities
ii debianutils 2.14.3 Miscellaneous utilities specific to Debian
ii defoma 0.11.8-0.1 Debian Font Manager -- automatic font config
ii dhcp-client 2.0pl5-19.1 DHCP Client
ii dictionaries-common 0.50.4 Common utilities for spelling dictionary too
ii diff 2.8.1-11 File comparison utilities
ii discover1 1.7.13 hardware identification system
ii discover1-data 1.2005.07.31 hardware lists for libdiscover1
ii dmidecode 2.7-2 Dump Desktop Management Interface data
ii dnsutils 9.3.1-2 Clients provided with BIND
ii doc-debian 3.1.2 Debian Project documentation, Debian FAQ and
ii doc-linux-text 2005.09-1 Linux HOWTOs and FAQs in ASCII format
ii dpkg 1.13.11 package maintenance system for Debian
ii dpkg-dev 1.13.11 package building tools for Debian
ii dselect 1.13.11 user tool to manage Debian packages
ii e2fslibs 1.38-2 ext2 filesystem libraries
ii e2fsprogs 1.38-2 ext2 file system utilities and libraries
ii ed 0.2-20 The classic unix line editor
ii eject 2.0.13deb-15 ejects CDs and operates CD-Changers under Li
ii exim4 4.52-2 metapackage to ease exim MTA (v4) installati
ii exim4-base 4.52-2 support files for all exim MTA (v4) packages
ii exim4-config 4.52-2 configuration for the exim MTA (v4)
ii exim4-daemon-light 4.52-2 lightweight exim MTA (v4) daemon
ii fdutils 5.5-20050303-1 Linux floppy utilities
ii file 4.12-1 Determines file type using "magic" numbers
ii findutils 4.2.25-1 utilities for finding files--find, xargs, an
ii finger 0.17-8 user information lookup program
ii flex 2.5.31-34 A fast lexical analyzer generator.
ii fontconfig 2.3.2-1 generic font configuration library
ii ftp 0.17-13 The FTP client
ii g++ 4.0.1-3 The GNU C++ compiler
ii g++-4.0 4.0.1-7 The GNU C++ compiler
ii gcc 4.0.1-3 The GNU C compiler
ii gcc-3.3-base 3.3.6-10 The GNU Compiler Collection (base package)
ii gcc-4.0 4.0.1-7 The GNU C compiler
ii gcc-4.0-base 4.0.1-7 The GNU Compiler Collection (base package)
ii gdb 6.3-6 The GNU Debugger
ii gettext-base 0.14.5-2 GNU Internationalization utilities for the b
ii gnu-efi 3.0a-4 Library for developing EFI applications
ii gnupg 1.4.1-1 GNU privacy guard - a free PGP replacement
ii grep 2.5.1.ds1-6 GNU grep, egrep and fgrep
ii groff-base 1.18.1.1-10 GNU troff text-formatting system (base syste
ii grub 0.95+cvs20040624-17 GRand Unified Bootloader
ii gzip 1.3.5-12 The GNU compression utility
ii hicolor-icon-theme 0.8-3 default fallback theme for FreeDesktop.org i
ii hostname 2.91 utility to set/show the host name or domain
ii hotplug 0.0.20040329-25 Linux Hotplug Scripts
ii iamerican 3.1.20.0-4 An American English dictionary for ispell
ii ibritish 3.1.20.0-4 A British English dictionary for ispell
ii ifupdown 0.6.7 high level tools to configure network interf
ii info 4.7-2.2 Standalone GNU Info documentation browser
ii initrd-tools 0.1.82 tools to create initrd image for prepackaged
ii initscripts 2.86.ds1-2 Standard scripts needed for booting and shut
ii ipchains 1.3.10-16 Network firewalling for Linux 2.2.x
ii iptables 1.3.3-2 Linux kernel 2.4+ iptables administration to
ii iputils-ping 20020927-2 Tools to test the reachability of network ho
ii ispell 3.1.20.0-4 International Ispell (an interactive spellin
ii kernel-doc-2.6.8 2.6.8-16 Linux kernel specific documentation for vers
ii kernel-image-2.4.27-2-386 2.4.27-11 Linux kernel image for version 2.4.27 on 386
ii kernel-pcmcia-modules-2.4.27-2-386 2.4.27-11 Mainstream PCMCIA modules 2.4.27 on 386
ii kernel-source-2.6.8 2.6.8-16 Linux kernel source for version 2.6.8 with D
ii klogd 1.4.1-17 Kernel Logging Daemon
ii laptop-detect 0.12.1 attempt to detect a laptop
ii less 382-2 Pager program similar to more
ii lib64gcc1 4.0.1-7 GCC support library (64bit)
ii lib64stdc++6 4.0.1-7 The GNU Standard C++ Library v3 (64bit)
ii libacl1 2.2.29-1.0.1 Access control list shared library
ii libatk1.0-0 1.10.3-1 The ATK accessibility toolkit
ii libatk1.0-data 1.10.3-1 Common files for the ATK accessibility toolk
ii libattr1 2.4.21-1.0.1 Extended attribute shared library
ii libbind9-0 9.3.1-2 BIND9 Shared Library used by BIND
ii libblkid1 1.38-2 block device id library
ii libbz2-1.0 1.0.2-8.1 high-quality block-sorting file compressor l
ii libc6 2.3.5-6 GNU C Library: Shared libraries and Timezone
ii libc6-dev 2.3.5-6 GNU C Library: Development Libraries and Hea
ii libcap1 1.10-14 support for getting/setting POSIX.1e capabil
ii libcomerr2 1.38-2 common error description library
ii libconsole 0.2.3dbs-56 Shared libraries for Linux console and font
ii libdb1-compat 2.1.3-8 The Berkeley database routines [glibc 2.0/2.
ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [runtime]
ii libdb4.2 4.2.52-19 Berkeley v4.2 Database Libraries [runtime]
ii libdb4.3 4.3.28-3 Berkeley v4.3 Database Libraries [runtime]
ii libdiscover1 1.7.13 hardware identification library
ii libdns20 9.3.1-2 DNS Shared Library used by BIND
ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii libevent1 1.1a-1 An asynchronous event notification library
ii libexpat1 1.95.8-3 XML parsing C library - runtime library
ii libfontconfig1 2.3.2-1 generic font configuration library (shared l
ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared library files
ii libfs6 6.8.2.dfsg.1-7 X Font Server library
ii libft-perl 1.2-15 Perl module for the FreeType library
ii libgc1c2 6.5-1 conservative garbage collector for C and C++
ii libgcc1 4.0.1-7 GCC support library
ii libgcrypt11 1.2.1-4 LGPL Crypto library - runtime library
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime version)
ii libglade2-0 2.5.1-2 library to load .glade files at runtime
ii libglib2.0-0 2.8.0-1 The GLib library of C routines
ii libglib2.0-data 2.8.0-1 Common files for GLib library
ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library
ii libgnutls12 1.2.6-1 the GNU TLS library - runtime library
ii libgpg-error0 1.1-4 library for common error values and messages
ii libgpmg1 1.19.6-21 General Purpose Mouse - shared library
ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface library
ii libgtk2.0-bin 2.6.10-1 The programs for the GTK+ graphical user int
ii libgtk2.0-common 2.6.10-1 Common files for the GTK+ graphical user int
ii libice6 6.8.2.dfsg.1-7 Inter-Client Exchange library
ii libident 0.22-3 simple RFC1413 client library - runtime
ii libidn11 0.5.18-1 GNU libidn library, implementation of IETF I
ii libisc9 9.3.1-2 ISC Shared Library used by BIND
ii libisccc0 9.3.1-2 Command Channel Library used by BIND
ii libisccfg1 9.3.1-2 Config File Handling Library used by BIND
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG runtime li
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libldap-2.2-7 2.2.26-4 OpenLDAP libraries
ii libldap2 2.1.30-11 OpenLDAP libraries
ii liblocale-gettext-perl 1.05-1 Using libc functions for internationalizatio
ii liblockfile1 1.06 NFS-safe locking library, includes dotlockfi
ii liblwres1 9.3.1-2 Lightweight Resolver Library used by BIND
ii liblzo1 1.08-2 data compression library
ii libmagic1 4.12-1 File type determination library using "magic
ii libncurses5 5.4-9 Shared libraries for terminal handling
ii libncurses5-dev 5.4-9 Developer's libraries and docs for ncurses
ii libncursesw5 5.4-9 Shared libraries for terminal handling (wide
ii libnewt0.51 0.51.6-31 Not Erik's Windowing Toolkit - text mode win
ii libnfsidmap1 0.8-1 An nfs idmapping library
ii libnss-db 2.2.3pre1-1 NSS module for using Berkeley Databases as a
ii libopencdk8 0.5.7-2 Open Crypto Development Kit (OpenCDK) (runti
ii libpam-modules 0.77-0.se5 Pluggable Authentication Modules for PAM
ii libpam-runtime 0.77-0.se5 Runtime support for the PAM library
ii libpam0g 0.77-0.se5 Pluggable Authentication Modules library
ii libpango1.0-0 1.8.2-2 Layout and rendering of internationalized te
ii libpango1.0-common 1.8.2-2 Modules and configuration files for the Pang
ii libpcap0.7 0.7.2-7 System interface for user-level packet captu
ii libpcre3 6.3-1 Perl 5 Compatible Regular Expression Library
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libreadline4 4.3-16 GNU readline and history libraries, run-time
ii libreadline5 5.0-11 GNU readline and history libraries, run-time
ii libsasl2 2.1.19-1.6 Authentication abstraction library
ii libselinux1 1.26-1 SELinux shared libraries
ii libselinux1-dev 1.26-1 SELinux development headers
ii libsepol1 1.8-1 Security Enhanced Linux policy library for c
ii libsepol1-dev 1.8-1 Security Enhanced Linux policy library and d
rc libsigc++-1.2-5c102 1.2.5-4 type-safe Signal Framework for C++ - runtime
ii libsigc++-1.2-5c2 1.2.5-5 type-safe Signal Framework for C++ - runtime
ii libslang2 2.0.4-5 The S-Lang programming library - runtime ver
ii libsm6 6.8.2.dfsg.1-7 X Window System Session Management library
ii libss2 1.38-2 command-line interface parsing library
ii libssl0.9.7 0.9.7g-2 SSL shared libraries
ii libstdc++5 3.3.6-10 The GNU Standard C++ Library v3
ii libstdc++6 4.0.1-7 The GNU Standard C++ Library v3
ii libstdc++6-4.0-dev 4.0.1-7 The GNU Standard C++ Library v3 (development
ii libtasn1-2 0.2.13-1 Manage ASN.1 structures (runtime)
ii libtext-charwidth-perl 0.04-2 get display widths of characters on the term
ii libtext-iconv-perl 1.4-1 converts between character sets in Perl
ii libtext-wrapi18n-perl 0.06-2 internationalized substitute of Text::Wrap
ii libtextwrap1 0.1-3 text-wrapping library with i18n - runtime
ii libtiff4 3.7.3-1 Tag Image File Format (TIFF) library
ii libttf2 1.4pre.20030402-1.1 FreeType 1, The FREE TrueType Font Engine, s
ii libusb-0.1-4 0.1.10a-21 userspace USB programming library
ii libuuid1 1.38-2 universally unique id library
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers library
ii libx11-6 6.8.2.dfsg.1-7 X Window System protocol client library
ii libxaw8 6.8.2.dfsg.1-7 X Athena widget set library
ii libxcursor1 1.1.3-1 X cursor management library
ii libxext6 6.8.2.dfsg.1-7 X Window System miscellaneous extension libr
ii libxft2 2.1.7-1 FreeType-based font drawing library for X
ii libxi6 6.8.2.dfsg.1-7 X Window System Input extension library
ii libxinerama1 6.8.2.dfsg.1-7 X Window System multi-head display library
ii libxml2 2.6.22-1 GNOME XML library
ii libxmu6 6.8.2.dfsg.1-7 X Window System miscellaneous utility librar
ii libxp6 6.8.2.dfsg.1-7 X Window System printing extension library
ii libxpm4 6.8.2.dfsg.1-7 X pixmap library
ii libxrandr2 6.8.2.dfsg.1-7 X Window System Resize, Rotate and Reflectio
ii libxrender1 0.9.0-2 X Rendering Extension client library
ii libxt6 6.8.2.dfsg.1-7 X Toolkit Intrinsics
ii linux-doc-2.6.12 2.6.12-6 Linux kernel specific documentation for vers
ii linux-image-2.6-686 2.6.12-6 Linux kernel 2.6 image on PPro/Celeron/PII/P
ii linux-image-2.6.12-1-686 2.6.12-6 Linux kernel 2.6.12 image on PPro/Celeron/PI
ii linux-image-686 2.6.12-6 Linux kernel image on PPro/Celeron/PII/PIII/
ii linux-kernel-headers 2.6.13+0rc3-1.1 Linux Kernel Headers for development
ii linux-source-2.6.12 2.6.12-6 Linux kernel source for version 2.6.12 with
ii locales 2.3.5-6 GNU C Library: National Language (locale) da
ii login 4.0.3-39 system login tools
ii logrotate 3.7.1-2 Log rotation utility
ii lpr 2005.05.01 BSD lpr/lpd line printer spooling system
ii lsb-base 3.0-6 Linux Standard Base 3.0 init script function
ii lsof 4.76.dfsg.1-1 List open files.
ii m4 1.4.3-2 a macro processing language
ii mailx 8.1.2-0.20050715cvs-1 A simple mail user agent
ii make 3.80-11 The GNU version of the "make" utility.
ii makedev 2.3.1-78 creates device files in /dev
ii man-db 2.4.3-2 The on-line manual pager
ii manpages 2.02-2 Manual pages about using a GNU/Linux system
ii manpages-dev 2.02-2 Manual pages about using GNU/Linux for devel
ii mawk 1.3.3-11 a pattern scanning and text processing langu
ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap', and sup
ii module-init-tools 3.2-pre8-1 tools for managing Linux kernel modules
ii modutils 2.4.27.0-3 Linux module utilities
ii mount 2.12p-7 Tools for mounting and manipulating filesyst
ii mpack 1.6-1.1 tools for encoding/decoding MIME messages
ii mtools 3.9.9-2.1 Tools for manipulating MSDOS files
ii mtr-tiny 0.69-2 Full screen ncurses traceroute tool
ii mutt 1.5.10-1 Text-based mailreader supporting MIME, GPG,
ii nano 1.3.8-2 free Pico clone with some new features
ii ncurses-base 5.4-9 Descriptions of common terminal types
ii ncurses-bin 5.4-9 Terminal-related programs and man pages
ii ncurses-term 5.4-9 Additional terminal type definitions
ii net-tools 1.60-15 The NET-3 networking toolkit
ii netbase 4.21 Basic TCP/IP networking system
ii netcat 1.10-27 TCP/IP swiss army knife
ii netkit-inetd 0.10-10.2 The Internet Superserver
ii nfs-common 1.0.7-3 NFS support files common to client and serve
ii nvi 1.79-22 4.4BSD re-implementation of vi
ii openssh-client 4.2p1-4 Secure shell client, an rlogin/rsh/rcp repla
ii passwd 4.0.3-39 change and administer password and group dat
ii patch 2.5.9-2 Apply a diff file to an original
ii pciutils 2.1.11-15.1 Linux PCI Utilities
ii pcmcia-cs 3.2.8-5 PCMCIA Card Services for Linux
ii perl 5.8.7-5 Larry Wall's Practical Extraction and Report
ii perl-base 5.8.7-5 The Pathologically Eclectic Rubbish Lister
ii perl-modules 5.8.7-5 Core Perl modules
ii pidentd 3.0.18-3 TCP/IP IDENT protocol server with DES suppor
ii policycoreutils 1.26-1 SELinux core policy utilities
ii portmap 5-15 The RPC portmapper
ii ppp 2.4.3-20050321+2 Point-to-Point Protocol (PPP) daemon
ii pppconfig 2.3.11 A text menu based utility for configuring pp
ii pppoe 3.5-4 PPP over Ethernet driver
ii pppoeconf 1.7 configures PPPoE/ADSL connections
ii procmail 3.22-11 Versatile e-mail processor
ii procps 3.2.5-1 /proc file system utilities
ii psmisc 21.6-1 Utilities that use the proc filesystem
ii python 2.3.5-3 An interactive high-level object-oriented la
ii python-newt 0.51.6-31 A NEWT module for Python
ii python2.3 2.3.5-8 An interactive high-level object-oriented la
ii readline-common 5.0-11 GNU readline and history libraries, common f
ii reportbug 3.17 reports bugs in the Debian distribution
ii sed 4.1.4-4 The GNU sed stream editor
ii selinux-doc 1.22-1 documentation for Security-Enhanced Linux
iF selinux-policy-default 1.18-1 Policy config files and management for NSA S
ii selinux-utils 1.26-1 SELinux utility programs
ii setools 2.1.2-1 Tresys tools for managing SE Linux
ii sgml-base 1.26 SGML infrastructure and SGML catalog file su
ii sharutils 4.2.1-15 shar, unshar, uuencode, uudecode
ii slang1a-utf8 1.4.9dbs-8 The S-Lang programming library with utf8 sup
ii strace 4.5.12-1 A system call tracer
ii sysklogd 1.4.1-17 System Logging Daemon
ii sysv-rc 2.86.ds1-2 Standard boot mechanism using symlinks in /e
ii sysvinit 2.86.ds1-2 System-V like init
ii tar 1.15.1-2 GNU tar
ii tasksel 2.31 Tool for selecting tasks for installation on
ii tcl8.4 8.4.11-1 Tcl (the Tool Command Language) v8.4 - run-t
ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilities
ii tcsh 6.14.00-1 TENEX C Shell, an enhanced version of Berkel
ii telnet 0.17-30 The telnet client
ii texinfo 4.7-2.2 Documentation system for on-line information
ii time 1.7-21 The GNU time program for measuring cpu resou
ii tk8.4 8.4.11-1 Tk toolkit for Tcl and X11, v8.4 - run-time
ii traceroute 1.4a12-20 traces the route taken by packets over a TCP
ii ttf-bitstream-vera 1.10-3 The Bitstream Vera family of free TrueType f
ii ucf 2.001 Update Configuration File: preserves user ch
ii usbutils 0.71-5 USB console utilities
ii util-linux 2.12p-7 Miscellaneous system utilities
ii w3m 0.5.1-4 WWW browsable pager with excellent tables/fr
ii wamerican 5-4 American English dictionary words for /usr/s
ii wget 1.10.1-1 retrieves files from the web
ii whiptail 0.51.6-31 Displays user-friendly dialog boxes from she
ii whois 4.7.8 the GNU whois client
ii x-ttcidfont-conf 18 Configure TrueType and CID fonts for X
ii x11-common 6.8.2.dfsg.1-7 X Window System (X.Org) infrastructure
ii xlibs-data 6.8.2.dfsg.1-7 X Window System client data
ii xml-core 0.09 XML infrastructure and XML catalog file supp
ii xterm 6.8.2.dfsg.1-7 X terminal emulator
ii xutils 6.8.2.dfsg.1-7 X Window System utility programs
ii zile 2.2.2-1 very small emacs-like editor
ii zlib1g 1.2.3-4 compression library - runtime
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-19 11:15 ` Dale Amon
@ 2005-09-19 11:56 ` Luke Kenneth Casson Leighton
2005-09-19 12:12 ` Stephen Smalley
0 siblings, 1 reply; 20+ messages in thread
From: Luke Kenneth Casson Leighton @ 2005-09-19 11:56 UTC (permalink / raw)
To: Dale Amon; +Cc: selinux
hiya dale,
a quick search on google for "manoj selinux" showed two things, one of
which is unavailable and could probably be obtained from google cache,
and the other is this:
http://wiki.debian.net/?SELinux
oops. manoj's site isn't up.
mirrors when it is, anyone?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-19 11:56 ` Luke Kenneth Casson Leighton
@ 2005-09-19 12:12 ` Stephen Smalley
0 siblings, 0 replies; 20+ messages in thread
From: Stephen Smalley @ 2005-09-19 12:12 UTC (permalink / raw)
To: Luke Kenneth Casson Leighton; +Cc: Dale Amon, selinux
On Mon, 2005-09-19 at 12:56 +0100, Luke Kenneth Casson Leighton wrote:
> hiya dale,
>
> a quick search on google for "manoj selinux" showed two things, one of
> which is unavailable and could probably be obtained from google cache,
> and the other is this:
>
> http://wiki.debian.net/?SELinux
>
> oops. manoj's site isn't up.
>
> mirrors when it is, anyone?
Manoj's site is:
http://www.golden-gryphon.com/software/security/selinux.xhtml
I already have it linked into the Debian page at the selinux sourceforge
site, as well as listed in Manoj's entry in selinux-doc/CREDITS.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-17 23:31 State of Debian SELinux Dale Amon
2005-09-18 0:10 ` Jiann-Ming Su
2005-09-18 0:15 ` Luke Kenneth Casson Leighton
@ 2005-09-19 12:27 ` Stephen Smalley
2005-09-20 18:10 ` Dale Amon
2 siblings, 1 reply; 20+ messages in thread
From: Stephen Smalley @ 2005-09-19 12:27 UTC (permalink / raw)
To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 3332 bytes --]
On Sun, 2005-09-18 at 00:31 +0100, Dale Amon wrote:
> I've set aside the next week to come back to SELinux
> and evaluate if it's reached the point where I could
> recommmend it for customer sites.
>
> So far Debian SELinux is looking pretty grim, and I'd
> like feedback on whether there really is a straight
> forward path to install it. By that I mean one with
> out a lot of kludges and pain as in the long
> (and already obsolete) description of the Debian
> install in McCarty's O'Reilly book.
>
> I'm starting from a freshly burned Debian stable
> install iso. I do a bog standard install up to
> the point where the reboot brings you into aptitude.
> I've tried both forks at that point; updating first
> in sarge or cancelling.
>
> I change the sources.list to sid and add Russell's
> newselinux package line; then I update and
> after selecting all the appropriate packages (and
> the 2.6.12 kernel) I upgrade.
>
> Problems: One, I have to deselect cups in the
> policy default because it has an error that causes
> the install to fail.
>
> But even without it no go. I assumed I had to
> reboot to get the selinuxfs, so I did that. But
> the boot complains about it and a manual mount /selinuxfs
> claims the kernel doesn't know what it is.
>
> I checked the config; looks like everything associated
> with selinux (and with xattr's on various file systems)
> is selected.
First, I'm not sure why you need to reboot to finish compiling the
policy, as the kernel has nothing to do with the policy build.
If selinuxfs isn't listed in /proc/filesystems, then SELinux is disabled
in your kernel, either via the compile-time options or via the boot time
parameter (which in Debian and SuSE defaults to selinux=0; you have to
explicitly use selinux=1 to enable it). Fedora defaults to enabled.
> The package will still not finish installing. The
> error is:
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> libsepol.expand_abtab_insert: Type conflict!
> Out of memory - unable to check assertions.
> Check assertions failed.
Hmmm...can you send me (just me, not the entire list) that policy.conf?
Or apply the attached patch to your libsepol, rebuild it, rebuild
checkpolicy against it (it uses the static lib), and try again?
> I could fiddle a lot more, but that would be counter
> productive: this time around I'm looking for a
> reliable and straightforward install, not just
> a bit of play time hacking.
>
> Is there an up to date description of the Debian
> install? McCarty's book is *way* out of date; I
> could not find a current install procedure on
> Russell's site, although such might be buried in
> one of his many find tutorials.
>
> Is there a current canonical 1-2-3 procedure for
> going from the current debian iso to a fully
> installed SELinux system? I don't mind if I have
> to fiddle with policy afterwards, but I do want
> the comfort of knowing I've got a reliable means
> of installing and updating (or talking a customer
> through it) if I am to consider using it for real.
>
> Of course the fact that sid seems to be required
> is a *huge* negative to start with...
I think that most of your questions can only be answered by Russell
and/or Manoj, as they seem to be maintaining SELinux for Debian.
--
Stephen Smalley
National Security Agency
[-- Attachment #2: libsepol-1.9.1.patch --]
[-- Type: text/x-patch, Size: 2341 bytes --]
Index: libsepol/ChangeLog
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -p -r1.59 -r1.60
--- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59
+++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60
@@ -1,3 +1,7 @@
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
1.8 2005-09-06
* Updated version for release.
Index: libsepol/VERSION
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -p -r1.54 -r1.55
--- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54
+++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55
@@ -1 +1 @@
-1.8
+1.9.1
Index: libsepol/src/expand.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10
+++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11
@@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli
static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d)
{
+ avtab_ptr_t node;
avtab_datum_t *avd;
int rc;
-
- avd = avtab_search(a, k);
- if (!avd) {
+
+ node = avtab_search_node(a, k);
+ if (!node) {
rc = avtab_insert(a, k, d);
if (rc)
DEBUG(__FUNCTION__, "Out of memory!\n");
return rc;
}
-
+
+ if ((k->specified & AVTAB_ENABLED) !=
+ (node->key.specified & AVTAB_ENABLED)) {
+ node = avtab_insert_nonunique(a, k, d);
+ if (!node) {
+ DEBUG(__FUNCTION__, "Out of memory!\n");
+ return -1;
+ }
+ return 0;
+ }
+
+ avd = &node->datum;
switch (k->specified & ~AVTAB_ENABLED) {
case AVTAB_ALLOWED:
case AVTAB_AUDITALLOW:
@@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li
cond_av_list_t *nl;
node = avtab_search_node(expa, k);
- if (!node) {
+ if (!node ||
+ (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) {
node = avtab_insert_nonunique(expa, k, d);
if (!node) {
DEBUG(__FUNCTION__, "Out of memory!\n");
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-19 12:27 ` Stephen Smalley
@ 2005-09-20 18:10 ` Dale Amon
2005-09-20 20:14 ` Stephen Smalley
0 siblings, 1 reply; 20+ messages in thread
From: Dale Amon @ 2005-09-20 18:10 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 4198 bytes --]
On Mon, Sep 19, 2005 at 08:27:50AM -0400, Stephen Smalley wrote:
> Index: libsepol/ChangeLog
> ===================================================================
> RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v
> retrieving revision 1.59
> retrieving revision 1.60
> diff -u -p -r1.59 -r1.60
> --- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59
> +++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60
> @@ -1,3 +1,7 @@
> +1.9.1 2005-09-09
> + * Fixed expand_avtab and expand_cond_av_list to keep separate
> + entries with identical keys but different enabled flags.
> +
> 1.8 2005-09-06
> * Updated version for release.
>
> Index: libsepol/VERSION
> ===================================================================
> RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v
> retrieving revision 1.54
> retrieving revision 1.55
> diff -u -p -r1.54 -r1.55
> --- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54
> +++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55
> @@ -1 +1 @@
> -1.8
> +1.9.1
> Index: libsepol/src/expand.c
> ===================================================================
> RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v
> retrieving revision 1.10
> retrieving revision 1.11
> diff -u -p -r1.10 -r1.11
> --- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10
> +++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11
> @@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli
>
> static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d)
> {
> + avtab_ptr_t node;
> avtab_datum_t *avd;
> int rc;
> -
> - avd = avtab_search(a, k);
> - if (!avd) {
> +
> + node = avtab_search_node(a, k);
> + if (!node) {
> rc = avtab_insert(a, k, d);
> if (rc)
> DEBUG(__FUNCTION__, "Out of memory!\n");
> return rc;
> }
> -
> +
> + if ((k->specified & AVTAB_ENABLED) !=
> + (node->key.specified & AVTAB_ENABLED)) {
> + node = avtab_insert_nonunique(a, k, d);
> + if (!node) {
> + DEBUG(__FUNCTION__, "Out of memory!\n");
> + return -1;
> + }
> + return 0;
> + }
> +
> + avd = &node->datum;
> switch (k->specified & ~AVTAB_ENABLED) {
> case AVTAB_ALLOWED:
> case AVTAB_AUDITALLOW:
> @@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li
> cond_av_list_t *nl;
>
> node = avtab_search_node(expa, k);
> - if (!node) {
> + if (!node ||
> + (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) {
> node = avtab_insert_nonunique(expa, k, d);
> if (!node) {
> DEBUG(__FUNCTION__, "Out of memory!\n");
To save time I did this in a chroot.
The debian version is 1.8-1; your patch applied cleanly
against this. I incremented the changelog to reflect
the version change and built 1.9-1 debian packages
which installed.
However, rerunning dselect still shows the same error
messages as before.
Reading package lists... Done
Building dependency tree... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]?
Setting up selinux-policy-default (1.18-1) ...
/usr/bin/checkpolicy: loading policy configuration from policy.conf
libsepol.expand_avtab_insert: Type conflict!
Out of memory - unable to check assertions
Check assertions failed.
make: *** [/etc/selinux/policy/policy.20] Error 255
dpkg: error processing selinux-policy-default (--configure):
subprocess post-installation script returned error exit status 2
Errors were encountered while processing:
selinux-policy-default
I could swap the drives out and try this live instead
of from chroot, but I doubt it would matter.
Suggestions?
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-20 18:10 ` Dale Amon
@ 2005-09-20 20:14 ` Stephen Smalley
2005-09-22 19:41 ` Stephen Smalley
0 siblings, 1 reply; 20+ messages in thread
From: Stephen Smalley @ 2005-09-20 20:14 UTC (permalink / raw)
To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux
On Tue, 2005-09-20 at 19:10 +0100, Dale Amon wrote:
> Setting up selinux-policy-default (1.18-1) ...
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> libsepol.expand_avtab_insert: Type conflict!
> Out of memory - unable to check assertions
> Check assertions failed.
> make: *** [/etc/selinux/policy/policy.20] Error 255
<snip>
> Suggestions?
Yes, send me (privately) a copy of the policy.conf file.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-20 20:14 ` Stephen Smalley
@ 2005-09-22 19:41 ` Stephen Smalley
2005-09-22 21:31 ` Dale Amon
0 siblings, 1 reply; 20+ messages in thread
From: Stephen Smalley @ 2005-09-22 19:41 UTC (permalink / raw)
To: Dale Amon; +Cc: Manoj Srivastava, Russell Coker, selinux
On Tue, 2005-09-20 at 16:14 -0400, Stephen Smalley wrote:
> On Tue, 2005-09-20 at 19:10 +0100, Dale Amon wrote:
> > Setting up selinux-policy-default (1.18-1) ...
> > /usr/bin/checkpolicy: loading policy configuration from policy.conf
> > libsepol.expand_avtab_insert: Type conflict!
> > Out of memory - unable to check assertions
> > Check assertions failed.
> > make: *** [/etc/selinux/policy/policy.20] Error 255
> <snip>
> > Suggestions?
>
> Yes, send me (privately) a copy of the policy.conf file.
Just to follow-up on list, after receiving the policy.conf file in
question, I found that:
1) The erroneous output from checkpolicy above is corrected by the diff
I posted for libsepol (1.8->1.9.1) that was already in sourceforge CVS.
Note that checkpolicy has to be rebuilt to pick up the patched libsepol,
as it uses the static library.
2) With the libsepol fix applied and checkpolicy rebuilt, checkpolicy
then reports legitimate assertion failures on some conditional rules in
the policy.conf. These particular assertion failures were due to the
etc_writer attribute on the kernel_t type being wrapped by an obsolete
ifdef leftover from when we were using compile-time tunables rather than
runtime policy booleans for nfs exports. Older versions of checkpolicy
weren't checking the conditional rules against the assertions, so they
wouldn't report this failure. The policy fix is to add the etc_writer
attribute unconditionally to the kernel_t type, and was already in
sourceforge CVS.
3) With the policy fix applied, checkpolicy successfully compiles the
policy.conf file.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-22 19:41 ` Stephen Smalley
@ 2005-09-22 21:31 ` Dale Amon
2005-09-22 21:38 ` Dale Amon
0 siblings, 1 reply; 20+ messages in thread
From: Dale Amon @ 2005-09-22 21:31 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 1517 bytes --]
Further hacks to get Debian policy to install.
These are missing:
touch file_contexts/program/dante.fc
touch file_contexts/program/winbind.fc
These file contexts are duplicated
/etc/selinux/contexts/files/file_contexts: Multiple same specifications for /usr/lib(64)?/netsaint/plugins(/.*)?.
/etc/selinux/contexts/files/file_contexts: Multiple same specifications for /usr/lib(64)?/nagios/plugins(/.*)?.
In these files:
file_contexts/program/nagios.fc:/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
file_contexts/program/nrpe.fc:/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t
file_contexts/program/nagios.fc:/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
file_contexts/program/nrpe.fc:/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t
These may have just been fixed since I last updated... I
will have to reload policy from scratch to confirm that.
Cups.te has an error:
domains/program/cups.te:245:ERROR 'unknown type rpm_var_lib_t' at token ';' on line 140828:
#line 245
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-22 21:31 ` Dale Amon
@ 2005-09-22 21:38 ` Dale Amon
2005-09-22 22:43 ` Dale Amon
0 siblings, 1 reply; 20+ messages in thread
From: Dale Amon @ 2005-09-22 21:38 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 800 bytes --]
The error in cups.te occurs because a reference to
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
occurs outside of the earlier conditional:
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
allow cupsd_config_t rpm_var_lib_t:file { getattr read };
')
allow cupsd_config_t initrc_exec_t:file getattr;
')dnl end distro_redhat
That looks like a Coker to me ;-)
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-22 21:38 ` Dale Amon
@ 2005-09-22 22:43 ` Dale Amon
0 siblings, 0 replies; 20+ messages in thread
From: Dale Amon @ 2005-09-22 22:43 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Dale Amon, Manoj Srivastava, Russell Coker, selinux
[-- Attachment #1: Type: text/plain, Size: 1147 bytes --]
Okay, I've got the debian selinux-policy-default package to install
finally. These are the hacks I used:
cd file_contexts/program/
touch dante.fc winbind.fc
#This is not required, but gets rid of an error msg
#edit nrpe.fc and comment out two lines:
# #/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t
# #/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t
cd ../../domains/misc
#edit kernel.te, make line look like:
# type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, etc_writer ;
cd ../programs
#edit rpm.te and put conditional around line:
# ifdef(`rpm.te', `
# allow cupsd_config_t rpm_var_lib_t:file { getattr read };
# ')
I won't guarantee my hacks are right, but they
get me through dselect at least.
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-18 21:58 ` Dale Amon
2005-09-18 22:48 ` Luke Kenneth Casson Leighton
@ 2005-09-23 18:53 ` sswami
2005-09-23 20:02 ` Stephen Smalley
1 sibling, 1 reply; 20+ messages in thread
From: sswami @ 2005-09-23 18:53 UTC (permalink / raw)
To: Dale Amon; +Cc: Dale Amon, selinux
Hello,
I was trying to install SELinux using the 2.6 kernel. I have been using
relevant packages from the coker site. When I do "make policy", I get the
following error message:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
libsepol.expand_avtab_insert: Type conflict!
Out of memory - unable to check assertions.
Check assertions failed.
Can anyone please let me know what I should do to get rid of this?
thanks
saswati
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: State of Debian SELinux
2005-09-23 18:53 ` sswami
@ 2005-09-23 20:02 ` Stephen Smalley
0 siblings, 0 replies; 20+ messages in thread
From: Stephen Smalley @ 2005-09-23 20:02 UTC (permalink / raw)
To: sswami; +Cc: Russell Coker, Manoj Srivastava, Dale Amon, selinux
[-- Attachment #1: Type: text/plain, Size: 1482 bytes --]
On Fri, 2005-09-23 at 14:53 -0400, sswami@eden.rutgers.edu wrote:
> I was trying to install SELinux using the 2.6 kernel. I have been using
> relevant packages from the coker site. When I do "make policy", I get the
> following error message:
>
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> libsepol.expand_avtab_insert: Type conflict!
> Out of memory - unable to check assertions.
> Check assertions failed.
>
> Can anyone please let me know what I should do to get rid of this?
There are a couple of issues here, as discussed previously in this
thread:
1) There is a bug in libsepol, fixed in libsepol 1.9.1 upstream. Patch
attached for your convenience. Requires rebuilding checkpolicy against
the updated libsepol as checkpolicy uses the static libsepol.
2) There is a bug in policy, fixed in policy 1.27.1 upstream. I'll
attach the specific diff that went into the upstream policy, but Dale
reported that he had to manually apply the change because it didn't
apply cleanly against the Debian policy. It is simply a matter of
adding the etc_writer attribute to the kernel_t type declaration
unconditionally (i.e. without the surrounding ifdef).
I think that Debian libsepol is being maintained by Manoj, and Debian
policy is being maintained by Russell. cc'd.
However, note that Dale has reported other issues with Debian policy as
well; see his postings for his workarounds so far.
--
Stephen Smalley
National Security Agency
[-- Attachment #2: libsepol-1.9.1.diff --]
[-- Type: text/x-patch, Size: 2341 bytes --]
Index: libsepol/ChangeLog
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/ChangeLog,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -p -r1.59 -r1.60
--- libsepol/ChangeLog 6 Sep 2005 17:52:49 -0000 1.59
+++ libsepol/ChangeLog 9 Sep 2005 14:32:32 -0000 1.60
@@ -1,3 +1,7 @@
+1.9.1 2005-09-09
+ * Fixed expand_avtab and expand_cond_av_list to keep separate
+ entries with identical keys but different enabled flags.
+
1.8 2005-09-06
* Updated version for release.
Index: libsepol/VERSION
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/VERSION,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -p -r1.54 -r1.55
--- libsepol/VERSION 6 Sep 2005 17:52:49 -0000 1.54
+++ libsepol/VERSION 9 Sep 2005 14:32:32 -0000 1.55
@@ -1 +1 @@
-1.8
+1.9.1
Index: libsepol/src/expand.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/expand.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- libsepol/src/expand.c 23 Aug 2005 13:05:18 -0000 1.10
+++ libsepol/src/expand.c 9 Sep 2005 14:32:35 -0000 1.11
@@ -1916,17 +1916,29 @@ int expand_module(policydb_t *base, poli
static int expand_avtab_insert(avtab_t *a, avtab_key_t *k, avtab_datum_t *d)
{
+ avtab_ptr_t node;
avtab_datum_t *avd;
int rc;
-
- avd = avtab_search(a, k);
- if (!avd) {
+
+ node = avtab_search_node(a, k);
+ if (!node) {
rc = avtab_insert(a, k, d);
if (rc)
DEBUG(__FUNCTION__, "Out of memory!\n");
return rc;
}
-
+
+ if ((k->specified & AVTAB_ENABLED) !=
+ (node->key.specified & AVTAB_ENABLED)) {
+ node = avtab_insert_nonunique(a, k, d);
+ if (!node) {
+ DEBUG(__FUNCTION__, "Out of memory!\n");
+ return -1;
+ }
+ return 0;
+ }
+
+ avd = &node->datum;
switch (k->specified & ~AVTAB_ENABLED) {
case AVTAB_ALLOWED:
case AVTAB_AUDITALLOW:
@@ -2035,7 +2047,8 @@ static int expand_cond_insert(cond_av_li
cond_av_list_t *nl;
node = avtab_search_node(expa, k);
- if (!node) {
+ if (!node ||
+ (k->specified & AVTAB_ENABLED) != (node->key.specified & AVTAB_ENABLED)) {
node = avtab_insert_nonunique(expa, k, d);
if (!node) {
DEBUG(__FUNCTION__, "Out of memory!\n");
[-- Attachment #3: policy-kernel.diff --]
[-- Type: text/x-patch, Size: 922 bytes --]
Index: policy/domains/misc/kernel.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/misc/kernel.te,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy/domains/misc/kernel.te 5 Jul 2005 19:30:10 -0000 1.13
+++ policy/domains/misc/kernel.te 15 Sep 2005 08:14:12 -0000 1.14
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2005-09-23 20:02 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-17 23:31 State of Debian SELinux Dale Amon
2005-09-18 0:10 ` Jiann-Ming Su
2005-09-18 9:47 ` Dale Amon
2005-09-18 0:15 ` Luke Kenneth Casson Leighton
2005-09-18 9:58 ` Dale Amon
2005-09-18 10:42 ` Luke Kenneth Casson Leighton
2005-09-18 21:58 ` Dale Amon
2005-09-18 22:48 ` Luke Kenneth Casson Leighton
2005-09-19 11:15 ` Dale Amon
2005-09-19 11:56 ` Luke Kenneth Casson Leighton
2005-09-19 12:12 ` Stephen Smalley
2005-09-23 18:53 ` sswami
2005-09-23 20:02 ` Stephen Smalley
2005-09-19 12:27 ` Stephen Smalley
2005-09-20 18:10 ` Dale Amon
2005-09-20 20:14 ` Stephen Smalley
2005-09-22 19:41 ` Stephen Smalley
2005-09-22 21:31 ` Dale Amon
2005-09-22 21:38 ` Dale Amon
2005-09-22 22:43 ` Dale Amon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.