Re: SELinux packages for SuSE 9.2

• Stephen Smalley <sds@tycho.nsa.gov> [2005-04-08 22:55]:
  > On Fri, 2005-04-08 at 09:14 +1000, Paul Dwerryhouse wrote:
  > > Hi all,
  > >
  > > I have created SELinux-enabled packages for SuSE 9.2, and these can be
  > > found here:
  > >
  > > http://suse-selinux.leapster.org/
  > >
  > > Packages such as libselinux, policycoreutils, etc, have been built from
  > > the main NSA SELinux CVS tree.
  > >
  > > I built the other userspace packages by patching SuSE's 9.2 SRPMs with
  > > the selinux patches from Fedora's devel CVS tree, and in many cases
  > > modified them to make the patches apply properly.
  

Ah well. Your announcement came shortly after I finished building packages myself. I'm currently adjusting policy and hadn't come around to putting the packages on the web. Guess I'll send some mails before I start building packages next time :)
For reference, my packages are available at http://www.cip.ifi.lmu.de/~bleher/selinux/suse/ It's nice to see that other people are working on SELinux on SuSE.

I haven't had the time to look at your rpms in detail; you seem to have patched more programs than I have. Most of my time was invested in making sure that pam works correctly and that it uses unix_chkpwd if possible (pam_unix2.so (a SuSE specific pam module) has SELinux support but the support is complicated and outdated, so I decided to patch pam_unix.so instead).

> > Also provided is an SELinux-enabled kernel, based on the 2.6.11.4
> > kernel-of-the-day source from SuSE's ftp server, with the latest
> > SELinux patch applied.
> >
> > I have not altered the policy yet, so as it stands, the system will hang
> > if placed into enforcing mode. This is fairly simple to fix - just a small
> > change to the getty policy is required - and I hope to have an updated
> > policy package available later today. However, there will still be a
> > considerable number of policy fixes needed before this is usable.
>
> Have you looked at Thomas Bleher's policy for SuSE?

For the record, I have just put a new suse policy there. The machine works fine in enforcing mode; only a handful denials are left on boot (haven't had the time to analyze them all). The policy is still rough and contains lots of changes, but I hope to send some patches soon.

> Now if only someone could get these changes into the main SuSE
> distro...

Yes, that would be very nice. Well, they _are_ slowly adding SELinux support, but development is rather closed (compared to eg Fedora) so only a SuSE employee could speed integration up (please correct me if I'm wrong and there's a way I can help!)
Let's see what SuSE 9.3 will bring.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



application/pgp-signature attachment: Digital signature