new debian SE Linux packages
I have uploaded a new kernel-patch-2.4-lsm package that implements the V9
policy format and uses /etc/security/selinux to store it. I have also
uploaded a matching "selinux" package that will compile to the same format.
With the location change the upgrade path will be a lot smoother. If you
want to upgrade from V8 policy to V9 then you should first install the
"selinux" package and tell it to install the policy (you can't load the
policy into a V8 kernel because of format differences).
Then at that time you will have both V8 and V9 policy databases installed in
different locations, when you boot the kernel will select the appropriate
policy database.
After that you can compile, install, and boot a kernel for a V9 policy at
your leisure (but you will be unable to recompile the policy for the V8
kernel with the latest "selinux" package).
Now the problem I have is that I want it to be possible to compile a V8 and a
V9 policy database at the same time for easy upgrade support (you don't
generally do a quick kernel upgrade on the type of machine you run SE Linux
on).
What I plan to do is to split out the checkpolicy program (the program that
compiles the ASCII policy file into the database) into a separate package
with a name based on it's version number. Then it'll be possible to have
multiple versions installed at the same time. As this program depends on
both the kernel source package and the selinux-small source package in a
version-dependant fashion it will be impossible to have multiple versions be
buildable by auto-builders. I plan to keep packages of old versions of the
checkpolicy package for i386 on my web site.
If anyone has a better solution to this then please make suggestions.
PS For the Debian people who are getting a bad opinion about SE Linux, most
of the strange stuff I discussed before (like diverting start-stop-daemon and
hacking devfsd) was backed out long before I started uploading the packages
to unstable.
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: