Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: State of Debian SELinux Date: Sun, 18 Sep 2005 00:31:11 +0100
So far Debian SELinux is looking pretty grim, and I'd like feedback on whether there really is a straight forward path to install it. By that I mean one with out a lot of kludges and pain as in the long (and already obsolete) description of the Debian install in McCarty's O'Reilly book. I'm starting from a freshly burned Debian stable install iso. I do a bog standard install up to the point where the reboot brings you into aptitude. I've tried both forks at that point; updating first in sarge or cancelling. I change the sources.list to sid and add Russell's newselinux package line; then I update and after selecting all the appropriate packages (and the 2.6.12 kernel) I upgrade. Problems: One, I have to deselect cups in the policy default because it has an error that causes the install to fail. But even without it no go. I assumed I had to reboot to get the selinuxfs, so I did that. But the boot complains about it and a manual mount /selinuxfs claims the kernel doesn't know what it is. I checked the config; looks like everything associated with selinux (and with xattr's on various file systems) is selected. The package will still not finish installing. The error is: /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_abtab_insert: Type conflict! Out of memory - unable to check assertions. Check assertions failed. I could fiddle a lot more, but that would be counter productive: this time around I'm looking for a reliable and straightforward install, not just a bit of play time hacking. Is there an up to date description of the Debian install? McCarty's book is *way* out of date; I could not find a current install procedure on Russell's site, although such might be buried in one of his many find tutorials. Is there a current canonical 1-2-3 procedure for going from the current debian iso to a fully installed SELinux system? I don't mind if I have to fiddle with policy afterwards, but I do want the comfort of knowing I've got a reliable means of installing and updating (or talking a customer through it) if I am to consider using it for real. Of course the fact that sid seems to be required is a *huge* negative to start with... -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Jiann-Ming Su <sujiannming_at_gmail.com> subject: Re: State of Debian SELinux Date: Sat, 17 Sep 2005 20:10:58 -0400
In case you haven't seen these: https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266 https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266 -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 10:47:59 +0100
I'd forgotten about Faye's excellent writing. But it unfortuneately describes (somewhat) the process I went through, which was
I shouldn't think any of the debian package mods would come into play at this point as it is prior to fs labeling that things are bombing out. -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 01:15:12 +0100
i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in "unstable". it was painful, took about four to five months, and it worked. the reason why it took so long was because i set an extremely high entry requirement: a _useful_ kde system. i.e. not one where you have to run some stupid command in order to get your usb devices back, undamaged. that meant using hal, which meant using udev, which meant using shmfs which meant a kernel patch to provide xattrs. most of the stuff i did or highlighted is slowly filtering its way in, mostly post-sarge-release as that held everything up and i mean everything (libselinux was "optional" package and you cannot have coreutils - a required package depends on an "optional" package. therefore the maintainer of coreutils refused to even look at selinux patches until post-sarge.). you will NOT get sarge to work [as-is]. you WILL need libselinux1 for a start and because of the freeze some 18 months ago libselinux1 did NOT make it into sarge. manoj is the best person to speak to as he has defacto taken over coordination of the patches etc. required. you _will_ need the patched version of dpkg - the one that sets selinux file contexts on files as it unpacks them - just like rpm does. you _will_ need to add /.dev to the list of files on which selinux contexts are set, because if /.dev ever gets damaged (on the "original" filesystem before udev is mounted and the "original" /dev moved to /.dev) you WILL not be able to boot because /sbin/init relies on /dev/stuff BEFORE udev runs. basically to solve this one (properly) udev needs to be integrated into debian's initrd (just like it is in redhat's kernels) - or you simply need to run with a kernel that doesn't use an initrd (just like you do with gentoo) which means not use the standard debian kernels because of the risk of non-boot on file system corruption, mkfs.ext2 removing xattrs on /dev/*. sorry that's a bit long-winded and probably difficult to understand but i'm trying to pack stuff in quickly as i remember it - from several months ago - without time for review of what i've written. l.
On Sun, Sep 18, 2005 at 12:31:11AM +0100, Dale Amon wrote:
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 10:58:07 +0100
And hello yourself. I've been a bit scarce on this list lately. Business has been good for a change... so no playtime. :-)
> i did manage to set up debian/selinux - back when 2.6.6 -> 2.6.9 was in Ouch. Well, I'm only interested in getting it up on rack mount server class machines with no fancy workstation apps on them. Nothing but LAMP's.
> you will NOT get sarge to work [as-is]. But can you start from the sarge iso and upgrade? Or should I look at whatever they have as the latest and most bleeding edge "don't look at me crosseyed or I'll fall over" sid iso?
> you WILL need libselinux1 for a start and because of the freeze I'm picking that up from Russel's repository during the upgrade and it does install okay.
> you _will_ need the patched version of dpkg - the one that Yeah, but that shouldn't matter yet: the problems are in the initial upgrade to SELinux packages so the file system isn't labeled yet and the kernel is still the base debian one.
> sorry that's a bit long-winded and probably difficult to Oh, that's fine. Many of the items you note will be time savers. Once I get the initial selinux package install to work that is... -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 11:42:19 +0100
then you would do well to consider gentoo/hardened instead!!
> > you will NOT get sarge to work [as-is]. always.
> > you WILL need libselinux1 for a start and because of the freeze look for manoj's stuff.
> > you _will_ need the patched version of dpkg - the one that ah, the "bootstrap" problem that i joyously encountered. i found this to be a sticking point, too. okay, you need to reboot first with ... damn it's been a while... selinux=1 enabled=0 _then_ you stand a good chance of being able to [build and] relabel. it's something to do with failures in the make process which i never got to the bottom of - probably some of the libselinux / sepol libraries detecting that selinux wasn't enabled, and not allowing the build process to proceed properly. most people only build and install selinux on already-useable selinux systems. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 22:58:41 +0100
Not an option. The software driving the active the site was written specifically for debian and in debian packages. I'd hate to have to go back to them and say, well, you know those really neat debian packages I did last year...
> > I'm picking that up from Russel's repository during the upgrade I will, but just in case, do you have a url?
> okay, you need to reboot first with ... damn it's been a while... Actually, its enforcing=0. And unfortuneately that doesn't help. I still get the same error messages as before.
> it's something to do with failures in the make process which i never There is definitely something I am missing with libsepol because there is an error about it which means absolutely nothing to me that causes dselect to give up on installing the default policy. It also seems to mean nothing to Google so I guess it has not come up on the mail list either: /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_avtab_insert: Type conflict! Out of memory - unable to check assertions. Check assertions failed. Highly informative, n'est-ce pas? I can reproduce it manually: cd /etc/selinux/src/ /usr/bin/checkpolicy
> most people only build and install selinux on already-useable *amon turns to watch a chicken racing an egg across the road... -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: State of Debian SELinux Date: Sun, 18 Sep 2005 23:48:50 +0100
> > selinux=1 enabled=0 it's been a while :)
> And unfortuneately that doesn't help.
> > it's something to do with failures in the make process which i never dselect? ha! dselect is for wimps. okay. describe _exactly_ where you got everything from - what the packages are, etc. how you did the install (you _should_ ideally be messin with the latest linux2.6 nsa source code - kernel, library, etc. but hey if you have found dpkg packages that's cool). send all info to list. then hopefully someone will know what's up. i've no real pressing need to install debian/selinux right now (as i did last year) otherwise i would try / see what happens. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Mon, 19 Sep 2005 12:15:31 +0100
Okay, you asked for it. First, a fresh install from Debian the 31r0a sarge i386 net install CD. Take the defaults on pretty much everything except hostname and partitions. I picked the workstation 3 partition option. After the reboot, I have tried both doing the immediate update in aptitude for sarge, or bogging out and editing the sources.list first. The sources.list file is: #deb file:///cdrom/ sarge main deb http://ftp.ie.debian.org/debian/ sid main deb-src http://ftp.ie.debian.org/debian/ sid main deb http://www.coker.com.au/newselinux ./ deb http://security.debian.org/ stable/updates main Then I either apt-get update and upgrade or do the same in dselect, depending on mood. Result is the same, the error I described previously. The set of packages installed at the moment is: Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==================================-=====================-============================================ ii adduser 3.67.0 Add and remove users and groups ii amd64-libs 1.2 Amd64 shared libraries for use on i386/x86_6 ii apt 0.6.41 Advanced front-end for dpkg ii apt-utils 0.6.41 APT utility programs ii aptitude 0.2.15.9-6 terminal-based apt frontend ii at 3.1.9 Delayed job execution and batch processing ii base-config 2.71 Debian base system configurator ii base-files 3.1.7 Debian base system miscellaneous files ii base-passwd 3.5.10 Debian base system master password and group ii bash 3.0-16 The GNU Bourne Again SHell ii bc 1.06-17 The GNU bc arbitrary precision calculator la ii bin86 0.16.14-1.2 16-bit x86 assembler and loader ii bind9-host 9.3.1-2 Version of 'host' bundled with BIND 9.X ii binutils 2.16.1cvs20050902-1 The GNU assembler, linker and binary utiliti ii bison 2.0-2 A parser generator that is compatible with Y ii bsdmainutils 6.1.2 collection of more utilities from FreeBSD ii bsdutils 2.12p-7 Basic utilities from 4.4BSD-Lite ii bwidget 1.7.0-1 A set of extension widgets for Tcl/Tk ii bzip2 1.0.2-8.1 high-quality block-sorting file compressor - ii checkpolicy 1.26-1 SELinux policy compiler ii console-common 0.7.53 Basic infrastructure for text console config ii console-data 2002.12.04dbs-49 Keymaps, fonts, charset maps, fallback table ii console-tools 0.2.3dbs-56 Linux console and font utilities ii coreutils 5.2.1-2.1 The GNU core utilities ii cpio 2.6-5 GNU cpio -- a program to manage archives of ii cpp 4.0.1-3 The GNU C preprocessor (cpp) ii cpp-4.0 4.0.1-7 The GNU C preprocessor ii cramfsprogs 1.1-6 Tools for CramFs (Compressed ROM File System ii cron 3.0pl1-91 management of regular background processing ii dash 0.5.2-7 The Debian Almquist Shell ii dc 1.06-17 The GNU dc arbitrary precision reverse-polis ii debconf 1.4.58 Debian configuration management system ii debconf-i18n 1.4.58 full internationalization support for debcon ii debconf-utils 1.4.58 debconf utilities ii debianutils 2.14.3 Miscellaneous utilities specific to Debian ii defoma 0.11.8-0.1 Debian Font Manager -- automatic font config ii dhcp-client 2.0pl5-19.1 DHCP Client ii dictionaries-common 0.50.4 Common utilities for spelling dictionary too ii diff 2.8.1-11 File comparison utilities ii discover1 1.7.13 hardware identification system ii discover1-data 1.2005.07.31 hardware lists for libdiscover1 ii dmidecode 2.7-2 Dump Desktop Management Interface data ii dnsutils 9.3.1-2 Clients provided with BIND ii doc-debian 3.1.2 Debian Project documentation, Debian FAQ and ii doc-linux-text 2005.09-1 Linux HOWTOs and FAQs in ASCII format ii dpkg 1.13.11 package maintenance system for Debian ii dpkg-dev 1.13.11 package building tools for Debian ii dselect 1.13.11 user tool to manage Debian packages ii e2fslibs 1.38-2 ext2 filesystem libraries ii e2fsprogs 1.38-2 ext2 file system utilities and libraries ii ed 0.2-20 The classic unix line editor ii eject 2.0.13deb-15 ejects CDs and operates CD-Changers under Li ii exim4 4.52-2 metapackage to ease exim MTA (v4) installati ii exim4-base 4.52-2 support files for all exim MTA (v4) packages ii exim4-config 4.52-2 configuration for the exim MTA (v4) ii exim4-daemon-light 4.52-2 lightweight exim MTA (v4) daemon ii fdutils 5.5-20050303-1 Linux floppy utilities ii file 4.12-1 Determines file type using "magic" numbers ii findutils 4.2.25-1 utilities for finding files--find, xargs, an ii finger 0.17-8 user information lookup program ii flex 2.5.31-34 A fast lexical analyzer generator. ii fontconfig 2.3.2-1 generic font configuration library ii ftp 0.17-13 The FTP client ii g++ 4.0.1-3 The GNU C++ compiler ii g++-4.0 4.0.1-7 The GNU C++ compiler ii gcc 4.0.1-3 The GNU C compiler ii gcc-3.3-base 3.3.6-10 The GNU Compiler Collection (base package) ii gcc-4.0 4.0.1-7 The GNU C compiler ii gcc-4.0-base 4.0.1-7 The GNU Compiler Collection (base package) ii gdb 6.3-6 The GNU Debugger ii gettext-base 0.14.5-2 GNU Internationalization utilities for the b ii gnu-efi 3.0a-4 Library for developing EFI applications ii gnupg 1.4.1-1 GNU privacy guard - a free PGP replacement ii grep 2.5.1.ds1-6 GNU grep, egrep and fgrep ii groff-base 1.18.1.1-10 GNU troff text-formatting system (base syste ii grub 0.95+cvs20040624-17 GRand Unified Bootloader ii gzip 1.3.5-12 The GNU compression utility ii hicolor-icon-theme 0.8-3 default fallback theme for FreeDesktop.org i ii hostname 2.91 utility to set/show the host name or domain ii hotplug 0.0.20040329-25 Linux Hotplug Scripts ii iamerican 3.1.20.0-4 An American English dictionary for ispell ii ibritish 3.1.20.0-4 A British English dictionary for ispell ii ifupdown 0.6.7 high level tools to configure network interf ii info 4.7-2.2 Standalone GNU Info documentation browser ii initrd-tools 0.1.82 tools to create initrd image for prepackaged ii initscripts 2.86.ds1-2 Standard scripts needed for booting and shut ii ipchains 1.3.10-16 Network firewalling for Linux 2.2.x ii iptables 1.3.3-2 Linux kernel 2.4+ iptables administration to ii iputils-ping 20020927-2 Tools to test the reachability of network ho ii ispell 3.1.20.0-4 International Ispell (an interactive spellin ii kernel-doc-2.6.8 2.6.8-16 Linux kernel specific documentation for vers ii kernel-image-2.4.27-2-386 2.4.27-11 Linux kernel image for version 2.4.27 on 386 ii kernel-pcmcia-modules-2.4.27-2-386 2.4.27-11 Mainstream PCMCIA modules 2.4.27 on 386 ii kernel-source-2.6.8 2.6.8-16 Linux kernel source for version 2.6.8 with D ii klogd 1.4.1-17 Kernel Logging Daemon ii laptop-detect 0.12.1 attempt to detect a laptop ii less 382-2 Pager program similar to more ii lib64gcc1 4.0.1-7 GCC support library (64bit) ii lib64stdc++6 4.0.1-7 The GNU Standard C++ Library v3 (64bit) ii libacl1 2.2.29-1.0.1 Access control list shared library ii libatk1.0-0 1.10.3-1 The ATK accessibility toolkit ii libatk1.0-data 1.10.3-1 Common files for the ATK accessibility toolk ii libattr1 2.4.21-1.0.1 Extended attribute shared library ii libbind9-0 9.3.1-2 BIND9 Shared Library used by BIND ii libblkid1 1.38-2 block device id library ii libbz2-1.0 1.0.2-8.1 high-quality block-sorting file compressor l ii libc6 2.3.5-6 GNU C Library: Shared libraries and Timezone ii libc6-dev 2.3.5-6 GNU C Library: Development Libraries and Hea ii libcap1 1.10-14 support for getting/setting POSIX.1e capabil ii libcomerr2 1.38-2 common error description library ii libconsole 0.2.3dbs-56 Shared libraries for Linux console and font ii libdb1-compat 2.1.3-8 The Berkeley database routines [glibc 2.0/2. ii libdb3 3.2.9-22 Berkeley v3 Database Libraries [runtime] ii libdb4.2 4.2.52-19 Berkeley v4.2 Database Libraries [runtime] ii libdb4.3 4.3.28-3 Berkeley v4.3 Database Libraries [runtime] ii libdiscover1 1.7.13 hardware identification library ii libdns20 9.3.1-2 DNS Shared Library used by BIND ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries ii libevent1 1.1a-1 An asynchronous event notification library ii libexpat1 1.95.8-3 XML parsing C library - runtime library ii libfontconfig1 2.3.2-1 generic font configuration library (shared l ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared library files ii libfs6 6.8.2.dfsg.1-7 X Font Server library ii libft-perl 1.2-15 Perl module for the FreeType library ii libgc1c2 6.5-1 conservative garbage collector for C and C++ ii libgcc1 4.0.1-7 GCC support library ii libgcrypt11 1.2.1-4 LGPL Crypto library - runtime library ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime version) ii libglade2-0 2.5.1-2 library to load .glade files at runtime ii libglib2.0-0 2.8.0-1 The GLib library of C routines ii libglib2.0-data 2.8.0-1 Common files for GLib library ii libgnutls11 1.0.16-13.1 GNU TLS library - runtime library ii libgnutls12 1.2.6-1 the GNU TLS library - runtime library ii libgpg-error0 1.1-4 library for common error values and messages ii libgpmg1 1.19.6-21 General Purpose Mouse - shared library ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface library ii libgtk2.0-bin 2.6.10-1 The programs for the GTK+ graphical user int ii libgtk2.0-common 2.6.10-1 Common files for the GTK+ graphical user int ii libice6 6.8.2.dfsg.1-7 Inter-Client Exchange library ii libident 0.22-3 simple RFC1413 client library - runtime ii libidn11 0.5.18-1 GNU libidn library, implementation of IETF I ii libisc9 9.3.1-2 ISC Shared Library used by BIND ii libisccc0 9.3.1-2 Command Channel Library used by BIND ii libisccfg1 9.3.1-2 Config File Handling Library used by BIND ii libjpeg62 6b-10 The Independent JPEG Group's JPEG runtime li ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries ii libldap-2.2-7 2.2.26-4 OpenLDAP libraries ii libldap2 2.1.30-11 OpenLDAP libraries ii liblocale-gettext-perl 1.05-1 Using libc functions for internationalizatio ii liblockfile1 1.06 NFS-safe locking library, includes dotlockfi ii liblwres1 9.3.1-2 Lightweight Resolver Library used by BIND ii liblzo1 1.08-2 data compression library ii libmagic1 4.12-1 File type determination library using "magic ii libncurses5 5.4-9 Shared libraries for terminal handling ii libncurses5-dev 5.4-9 Developer's libraries and docs for ncurses ii libncursesw5 5.4-9 Shared libraries for terminal handling (wide ii libnewt0.51 0.51.6-31 Not Erik's Windowing Toolkit - text mode win ii libnfsidmap1 0.8-1 An nfs idmapping library ii libnss-db 2.2.3pre1-1 NSS module for using Berkeley Databases as a ii libopencdk8 0.5.7-2 Open Crypto Development Kit (OpenCDK) (runti ii libpam-modules 0.77-0.se5 Pluggable Authentication Modules for PAM ii libpam-runtime 0.77-0.se5 Runtime support for the PAM library ii libpam0g 0.77-0.se5 Pluggable Authentication Modules library ii libpango1.0-0 1.8.2-2 Layout and rendering of internationalized te ii libpango1.0-common 1.8.2-2 Modules and configuration files for the Pang ii libpcap0.7 0.7.2-7 System interface for user-level packet captu ii libpcre3 6.3-1 Perl 5 Compatible Regular Expression Library ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libpopt0 1.7-5 lib for parsing cmdline parameters ii libreadline4 4.3-16 GNU readline and history libraries, run-time ii libreadline5 5.0-11 GNU readline and history libraries, run-time ii libsasl2 2.1.19-1.6 Authentication abstraction library ii libselinux1 1.26-1 SELinux shared libraries ii libselinux1-dev 1.26-1 SELinux development headers ii libsepol1 1.8-1 Security Enhanced Linux policy library for c ii libsepol1-dev 1.8-1 Security Enhanced Linux policy library and d rc libsigc++-1.2-5c102 1.2.5-4 type-safe Signal Framework for C++ - runtime ii libsigc++-1.2-5c2 1.2.5-5 type-safe Signal Framework for C++ - runtime ii libslang2 2.0.4-5 The S-Lang programming library - runtime ver ii libsm6 6.8.2.dfsg.1-7 X Window System Session Management library ii libss2 1.38-2 command-line interface parsing library ii libssl0.9.7 0.9.7g-2 SSL shared libraries ii libstdc++5 3.3.6-10 The GNU Standard C++ Library v3 ii libstdc++6 4.0.1-7 The GNU Standard C++ Library v3 ii libstdc++6-4.0-dev 4.0.1-7 The GNU Standard C++ Library v3 (development ii libtasn1-2 0.2.13-1 Manage ASN.1 structures (runtime) ii libtext-charwidth-perl 0.04-2 get display widths of characters on the term ii libtext-iconv-perl 1.4-1 converts between character sets in Perl ii libtext-wrapi18n-perl 0.06-2 internationalized substitute of Text::Wrap ii libtextwrap1 0.1-3 text-wrapping library with i18n - runtime ii libtiff4 3.7.3-1 Tag Image File Format (TIFF) library ii libttf2 1.4pre.20030402-1.1 FreeType 1, The FREE TrueType Font Engine, s ii libusb-0.1-4 0.1.10a-21 userspace USB programming library ii libuuid1 1.38-2 universally unique id library ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers library ii libx11-6 6.8.2.dfsg.1-7 X Window System protocol client library ii libxaw8 6.8.2.dfsg.1-7 X Athena widget set library ii libxcursor1 1.1.3-1 X cursor management library ii libxext6 6.8.2.dfsg.1-7 X Window System miscellaneous extension libr ii libxft2 2.1.7-1 FreeType-based font drawing library for X ii libxi6 6.8.2.dfsg.1-7 X Window System Input extension library ii libxinerama1 6.8.2.dfsg.1-7 X Window System multi-head display library ii libxml2 2.6.22-1 GNOME XML library ii libxmu6 6.8.2.dfsg.1-7 X Window System miscellaneous utility librar ii libxp6 6.8.2.dfsg.1-7 X Window System printing extension library ii libxpm4 6.8.2.dfsg.1-7 X pixmap library ii libxrandr2 6.8.2.dfsg.1-7 X Window System Resize, Rotate and Reflectio ii libxrender1 0.9.0-2 X Rendering Extension client library ii libxt6 6.8.2.dfsg.1-7 X Toolkit Intrinsics ii linux-doc-2.6.12 2.6.12-6 Linux kernel specific documentation for vers ii linux-image-2.6-686 2.6.12-6 Linux kernel 2.6 image on PPro/Celeron/PII/P ii linux-image-2.6.12-1-686 2.6.12-6 Linux kernel 2.6.12 image on PPro/Celeron/PI ii linux-image-686 2.6.12-6 Linux kernel image on PPro/Celeron/PII/PIII/ ii linux-kernel-headers 2.6.13+0rc3-1.1 Linux Kernel Headers for development ii linux-source-2.6.12 2.6.12-6 Linux kernel source for version 2.6.12 with ii locales 2.3.5-6 GNU C Library: National Language (locale) da ii login 4.0.3-39 system login tools ii logrotate 3.7.1-2 Log rotation utility ii lpr 2005.05.01 BSD lpr/lpd line printer spooling system ii lsb-base 3.0-6 Linux Standard Base 3.0 init script function ii lsof 4.76.dfsg.1-1 List open files. ii m4 1.4.3-2 a macro processing language ii mailx 8.1.2-0.20050715cvs-1 A simple mail user agent ii make 3.80-11 The GNU version of the "make" utility. ii makedev 2.3.1-78 creates device files in /dev ii man-db 2.4.3-2 The on-line manual pager ii manpages 2.02-2 Manual pages about using a GNU/Linux system ii manpages-dev 2.02-2 Manual pages about using GNU/Linux for devel ii mawk 1.3.3-11 a pattern scanning and text processing langu ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap', and sup ii module-init-tools 3.2-pre8-1 tools for managing Linux kernel modules ii modutils 2.4.27.0-3 Linux module utilities ii mount 2.12p-7 Tools for mounting and manipulating filesyst ii mpack 1.6-1.1 tools for encoding/decoding MIME messages ii mtools 3.9.9-2.1 Tools for manipulating MSDOS files ii mtr-tiny 0.69-2 Full screen ncurses traceroute tool ii mutt 1.5.10-1 Text-based mailreader supporting MIME, GPG, ii nano 1.3.8-2 free Pico clone with some new features ii ncurses-base 5.4-9 Descriptions of common terminal types ii ncurses-bin 5.4-9 Terminal-related programs and man pages ii ncurses-term 5.4-9 Additional terminal type definitions ii net-tools 1.60-15 The NET-3 networking toolkit ii netbase 4.21 Basic TCP/IP networking system ii netcat 1.10-27 TCP/IP swiss army knife ii netkit-inetd 0.10-10.2 The Internet Superserver ii nfs-common 1.0.7-3 NFS support files common to client and serve ii nvi 1.79-22 4.4BSD re-implementation of vi ii openssh-client 4.2p1-4 Secure shell client, an rlogin/rsh/rcp repla ii passwd 4.0.3-39 change and administer password and group dat ii patch 2.5.9-2 Apply a diff file to an original ii pciutils 2.1.11-15.1 Linux PCI Utilities ii pcmcia-cs 3.2.8-5 PCMCIA Card Services for Linux ii perl 5.8.7-5 Larry Wall's Practical Extraction and Report ii perl-base 5.8.7-5 The Pathologically Eclectic Rubbish Lister ii perl-modules 5.8.7-5 Core Perl modules ii pidentd 3.0.18-3 TCP/IP IDENT protocol server with DES suppor ii policycoreutils 1.26-1 SELinux core policy utilities ii portmap 5-15 The RPC portmapper ii ppp 2.4.3-20050321+2 Point-to-Point Protocol (PPP) daemon ii pppconfig 2.3.11 A text menu based utility for configuring pp ii pppoe 3.5-4 PPP over Ethernet driver ii pppoeconf 1.7 configures PPPoE/ADSL connections ii procmail 3.22-11 Versatile e-mail processor ii procps 3.2.5-1 /proc file system utilities ii psmisc 21.6-1 Utilities that use the proc filesystem ii python 2.3.5-3 An interactive high-level object-oriented la ii python-newt 0.51.6-31 A NEWT module for Python ii python2.3 2.3.5-8 An interactive high-level object-oriented la ii readline-common 5.0-11 GNU readline and history libraries, common f ii reportbug 3.17 reports bugs in the Debian distribution ii sed 4.1.4-4 The GNU sed stream editor ii selinux-doc 1.22-1 documentation for Security-Enhanced Linux iF selinux-policy-default 1.18-1 Policy config files and management for NSA S ii selinux-utils 1.26-1 SELinux utility programs ii setools 2.1.2-1 Tresys tools for managing SE Linux ii sgml-base 1.26 SGML infrastructure and SGML catalog file su ii sharutils 4.2.1-15 shar, unshar, uuencode, uudecode ii slang1a-utf8 1.4.9dbs-8 The S-Lang programming library with utf8 sup ii strace 4.5.12-1 A system call tracer ii sysklogd 1.4.1-17 System Logging Daemon ii sysv-rc 2.86.ds1-2 Standard boot mechanism using symlinks in /e ii sysvinit 2.86.ds1-2 System-V like init ii tar 1.15.1-2 GNU tar ii tasksel 2.31 Tool for selecting tasks for installation on ii tcl8.4 8.4.11-1 Tcl (the Tool Command Language) v8.4 - run-t ii tcpd 7.6.dbs-8 Wietse Venema's TCP wrapper utilities ii tcsh 6.14.00-1 TENEX C Shell, an enhanced version of Berkel ii telnet 0.17-30 The telnet client ii texinfo 4.7-2.2 Documentation system for on-line information ii time 1.7-21 The GNU time program for measuring cpu resou ii tk8.4 8.4.11-1 Tk toolkit for Tcl and X11, v8.4 - run-time ii traceroute 1.4a12-20 traces the route taken by packets over a TCP ii ttf-bitstream-vera 1.10-3 The Bitstream Vera family of free TrueType f ii ucf 2.001 Update Configuration File: preserves user ch ii usbutils 0.71-5 USB console utilities ii util-linux 2.12p-7 Miscellaneous system utilities ii w3m 0.5.1-4 WWW browsable pager with excellent tables/fr ii wamerican 5-4 American English dictionary words for /usr/s ii wget 1.10.1-1 retrieves files from the web ii whiptail 0.51.6-31 Displays user-friendly dialog boxes from she ii whois 4.7.8 the GNU whois client ii x-ttcidfont-conf 18 Configure TrueType and CID fonts for X ii x11-common 6.8.2.dfsg.1-7 X Window System (X.Org) infrastructure ii xlibs-data 6.8.2.dfsg.1-7 X Window System client data ii xml-core 0.09 XML infrastructure and XML catalog file supp ii xterm 6.8.2.dfsg.1-7 X terminal emulator ii xutils 6.8.2.dfsg.1-7 X Window System utility programs ii zile 2.2.2-1 very small emacs-like editor ii zlib1g 1.2.3-4 compression library - runtime -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: State of Debian SELinux Date: Mon, 19 Sep 2005 12:56:42 +0100
a quick search on google for "manoj selinux" showed two things, one of which is unavailable and could probably be obtained from google cache, and the other is this: http://wiki.debian.net/?SELinux oops. manoj's site isn't up. mirrors when it is, anyone? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: State of Debian SELinux Date: Mon, 19 Sep 2005 08:12:06 -0400
Manoj's site is:
I already have it linked into the Debian page at the selinux sourceforge site, as well as listed in Manoj's entry in selinux-doc/CREDITS. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: sswami_at_eden.rutgers.edu subject: Re: State of Debian SELinux Date: Fri, 23 Sep 2005 14:53:45 -0400 (EDT)
I was trying to install SELinux using the 2.6 kernel. I have been using relevant packages from the coker site. When I do "make policy", I get the following error message: /usr/bin/checkpolicy: loading policy configuration from policy.conf libsepol.expand_avtab_insert: Type conflict! Out of memory - unable to check assertions. Check assertions failed. Can anyone please let me know what I should do to get rid of this?
thanks
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: State of Debian SELinux Date: Fri, 23 Sep 2005 16:02:32 -0400
There are a couple of issues here, as discussed previously in this
thread:
I think that Debian libsepol is being maintained by Manoj, and Debian policy is being maintained by Russell. cc'd. However, note that Dale has reported other issues with Debian policy as well; see his postings for his workarounds so far. -- Stephen Smalley National Security AgencyFrom: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: State of Debian SELinux Date: Mon, 19 Sep 2005 08:27:50 -0400
First, I'm not sure why you need to reboot to finish compiling the policy, as the kernel has nothing to do with the policy build. If selinuxfs isn't listed in /proc/filesystems, then SELinux is disabled in your kernel, either via the compile-time options or via the boot time parameter (which in Debian and SuSE defaults to selinux=0; you have to explicitly use selinux=1 to enable it). Fedora defaults to enabled.
> The package will still not finish installing. The Hmmm...can you send me (just me, not the entire list) that policy.conf? Or apply the attached patch to your libsepol, rebuild it, rebuild checkpolicy against it (it uses the static lib), and try again?
> I could fiddle a lot more, but that would be counter I think that most of your questions can only be answered by Russell and/or Manoj, as they seem to be maintaining SELinux for Debian. -- Stephen Smalley National Security AgencyFrom: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Tue, 20 Sep 2005 19:10:40 +0100
To save time I did this in a chroot. The debian version is 1.8-1; your patch applied cleanly against this. I incremented the changelog to reflect the version change and built 1.9-1 debian packages which installed. However, rerunning dselect still shows the same error messages as before.
Reading package lists... Done
I could swap the drives out and try this live instead of from chroot, but I doubt it would matter. Suggestions? -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: State of Debian SELinux Date: Tue, 20 Sep 2005 16:14:40 -0400
Yes, send me (privately) a copy of the policy.conf file. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: State of Debian SELinux Date: Thu, 22 Sep 2005 15:41:26 -0400
Just to follow-up on list, after receiving the policy.conf file in question, I found that:
-- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Thu, 22 Sep 2005 22:31:23 +0100
These are missing:
touch file_contexts/program/dante.fc
These file contexts are duplicated
/etc/selinux/contexts/files/file_contexts: Multiple same specifications for /usr/lib(64)?/netsaint/plugins(/.*)?. In these files: file_contexts/program/nagios.fc:/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t file_contexts/program/nrpe.fc:/usr/lib(64)?/netsaint/plugins(/.*)? -- system_u:object_r:bin_t file_contexts/program/nagios.fc:/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t file_contexts/program/nrpe.fc:/usr/lib(64)?/nagios/plugins(/.*)? -- system_u:object_r:bin_t These may have just been fixed since I last updated... I will have to reload policy from scratch to confirm that.
Cups.te has an error:
-- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Thu, 22 Sep 2005 22:38:55 +0100
allow cupsd_config_t rpm_var_lib_t:file { getattr read }; occurs outside of the earlier conditional:
ifdef(`distro_redhat', `
That looks like a Coker to me ;-) -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------From: Dale Amon <amon_at_vnl.com> subject: Re: State of Debian SELinux Date: Thu, 22 Sep 2005 23:43:06 +0100
cd file_contexts/program/ touch dante.fc winbind.fc I won't guarantee my hacks are right, but they get me through dselect at least. -- ------------------------------------------------------ Dale Amon amon@islandone.org +44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" ------------------------------------------------------
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |