* An SELinux policy for Red Hat 9 @ 2004-07-08 20:17 Bradley Chapman 2004-07-09 11:11 ` Russell Coker 0 siblings, 1 reply; 7+ messages in thread From: Bradley Chapman @ 2004-07-08 20:17 UTC (permalink / raw) To: selinux Does anyone know of a good place where I can start reading about how to adapt, or obtain, an SELinux policy for Red Hat 9, running the 2.6.7 kernel with the SELinux userspace package dated 20040628-16? TIA! Brad Chapman -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-08 20:17 An SELinux policy for Red Hat 9 Bradley Chapman @ 2004-07-09 11:11 ` Russell Coker 2004-07-09 11:43 ` Bradley Chapman 0 siblings, 1 reply; 7+ messages in thread From: Russell Coker @ 2004-07-09 11:11 UTC (permalink / raw) To: Bradley Chapman; +Cc: selinux On Fri, 9 Jul 2004 06:17, Bradley Chapman <kakadu@gmail.com> wrote: > Does anyone know of a good place where I can start reading about how > to adapt, or obtain, an SELinux policy for Red Hat 9, running the > 2.6.7 kernel with the SELinux userspace package dated 20040628-16? Why would you want to do that? Consider Fedora Core 1 as RHL 10, and FC2 as RHL 11 an just upgrade a couple of versions to get SE Linux support. But if you REALLY want to use RHL 9, the current policy should work OK, you just have to make the appropriate changes to pam, logrotate, cron, coreutils, etc. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-09 11:11 ` Russell Coker @ 2004-07-09 11:43 ` Bradley Chapman 2004-07-09 12:14 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Bradley Chapman @ 2004-07-09 11:43 UTC (permalink / raw) To: russell; +Cc: selinux Mr. Coker, On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote: > > > On Fri, 9 Jul 2004 06:17, Bradley Chapman <kakadu@gmail.com> wrote: > > Does anyone know of a good place where I can start reading about how > > to adapt, or obtain, an SELinux policy for Red Hat 9, running the > > 2.6.7 kernel with the SELinux userspace package dated 20040628-16? > > Why would you want to do that? Consider Fedora Core 1 as RHL 10, and FC2 as > RHL 11 an just upgrade a couple of versions to get SE Linux support. I would do that - except for the fact that the system I want to run SELinux on is my personal system, and upgrading it is currently not something I wish to do. I may want to upgrade to FC2 later, but right now I want to stick with RHL9. > > But if you REALLY want to use RHL 9, the current policy should work OK, you > just have to make the appropriate changes to pam, logrotate, cron, coreutils, > etc. What sort of changes? Path changes? Thanks, Brad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-09 11:43 ` Bradley Chapman @ 2004-07-09 12:14 ` Stephen Smalley 2004-07-09 14:52 ` Bradley Chapman 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2004-07-09 12:14 UTC (permalink / raw) To: Bradley Chapman; +Cc: Russell Coker, selinux On Fri, 2004-07-09 at 07:43, Bradley Chapman wrote: > On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote: > > But if you REALLY want to use RHL 9, the current policy should work OK, you > > just have to make the appropriate changes to pam, logrotate, cron, coreutils, > > etc. > > What sort of changes? Path changes? I think Russell is referring to the userland patches for those packages. The current patches and SRPMS in our userland tree are drawn from the Fedora Core development tree, so you are likely to run into dependency problems building them on RH9. And Fedora Core actually includes _many_ other patched userland packages for SELinux; we only maintain a core subset in our tree for reference purposes for people who want to port to other distributions. A few examples of patched userland packages in Fedora Core that are not in our tree include gdm, usermode, atd, and libuser, and there are many others. There is also the issue of glibc security awareness; the RH9 glibc won't enable secure mode upon domain transitions, unlike the Fedora Core glibc. If you truly are limited to using RH9, then you should likely grab an older release of SELinux that was based on RH9. But life will be simpler if you can move to FC2. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-09 12:14 ` Stephen Smalley @ 2004-07-09 14:52 ` Bradley Chapman 2004-07-09 16:22 ` Stephen Smalley 2004-07-09 17:30 ` Valdis.Kletnieks 0 siblings, 2 replies; 7+ messages in thread From: Bradley Chapman @ 2004-07-09 14:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, russell Mr. Smalley, On Fri, 09 Jul 2004 08:14:13 -0400, Stephen Smalley <sds@epoch.ncsc.mil> wrote: > > > On Fri, 2004-07-09 at 07:43, Bradley Chapman wrote: > > On Fri, 9 Jul 2004 21:11:55 +1000, Russell Coker <russell@coker.com.au> wrote: > > > But if you REALLY want to use RHL 9, the current policy should work OK, you > > > just have to make the appropriate changes to pam, logrotate, cron, coreutils, > > > etc. > > > > What sort of changes? Path changes? > > I think Russell is referring to the userland patches for those > packages. The current patches and SRPMS in our userland tree are drawn > from the Fedora Core development tree, so you are likely to run into > dependency problems building them on RH9. And Fedora Core actually > includes _many_ other patched userland packages for SELinux; we only > maintain a core subset in our tree for reference purposes for people who > want to port to other distributions. A few examples of patched userland > packages in Fedora Core that are not in our tree include gdm, usermode, > atd, and libuser, and there are many others. There is also the issue of > glibc security awareness; the RH9 glibc won't enable secure mode upon > domain transitions, unlike the Fedora Core glibc. Oh. I thought the patches mentioned were confined mostly to core system utilities; I had no idea that FC2's modifications for SELlinux were quite that extensive! > > If you truly are limited to using RH9, then you should likely grab an > older release of SELinux that was based on RH9. But life will be > simpler if you can move to FC2. Well, in light of your recommendations, I will certainly consider such a move now. If I do decide to move to FC2, how difficult will it then become to adapt the SELinux policy to my needs? > > -- > Stephen Smalley <sds@epoch.ncsc.mil> > National Security Agency > Brad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-09 14:52 ` Bradley Chapman @ 2004-07-09 16:22 ` Stephen Smalley 2004-07-09 17:30 ` Valdis.Kletnieks 1 sibling, 0 replies; 7+ messages in thread From: Stephen Smalley @ 2004-07-09 16:22 UTC (permalink / raw) To: Bradley Chapman; +Cc: selinux, Russell Coker On Fri, 2004-07-09 at 10:52, Bradley Chapman wrote: > Well, in light of your recommendations, I will certainly consider such > a move now. > If I do decide to move to FC2, how difficult will it then become to > adapt the SELinux policy > to my needs? No more difficult than usual; you just install the policy-sources RPM and then customize and rebuild as desired. You also likely want setools and setools-gui. However, in general, you may want to do some selective updating of SELinux-related packages from the Fedora development tree after installing FC2 in order to pick up the latest policy, which has been reorganized and partitioned to support multiple policies. This also requires pulling in the SysVinit, libselinux, and policycoreutils from the development tree. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: An SELinux policy for Red Hat 9 2004-07-09 14:52 ` Bradley Chapman 2004-07-09 16:22 ` Stephen Smalley @ 2004-07-09 17:30 ` Valdis.Kletnieks 1 sibling, 0 replies; 7+ messages in thread From: Valdis.Kletnieks @ 2004-07-09 17:30 UTC (permalink / raw) To: Bradley Chapman; +Cc: Stephen Smalley, selinux, russell [-- Attachment #1: Type: text/plain, Size: 423 bytes --] On Fri, 09 Jul 2004 15:52:00 BST, Bradley Chapman said: > If I do decide to move to FC2, how difficult will it then become to > adapt the SELinux policy > to my needs? This will of course depend on how divergent your needs are from either the 'targeted' or 'strict' policies already in the tree. The biggest issue is whether you have a custom application that needs policy written (and there's tools to assist in that). [-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-09 17:30 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-07-08 20:17 An SELinux policy for Red Hat 9 Bradley Chapman 2004-07-09 11:11 ` Russell Coker 2004-07-09 11:43 ` Bradley Chapman 2004-07-09 12:14 ` Stephen Smalley 2004-07-09 14:52 ` Bradley Chapman 2004-07-09 16:22 ` Stephen Smalley 2004-07-09 17:30 ` Valdis.Kletnieks
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.