[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

new debian SE Linux packages

I have uploaded a new kernel-patch-2.4-lsm package that implements the V9 
policy format and uses /etc/security/selinux to store it.  I have also 
uploaded a matching "selinux" package that will compile to the same format.

With the location change the upgrade path will be a lot smoother.  If you 
want to upgrade from V8 policy to V9 then you should first install the 
"selinux" package and tell it to install the policy (you can't load the 
policy into a V8 kernel because of format differences).

Then at that time you will have both V8 and V9 policy databases installed in 
different locations, when you boot the kernel will select the appropriate 
policy database.

After that you can compile, install, and boot a kernel for a V9 policy at 
your leisure (but you will be unable to recompile the policy for the V8 
kernel with the latest "selinux" package).

Now the problem I have is that I want it to be possible to compile a V8 and a 
V9 policy database at the same time for easy upgrade support (you don't 
generally do a quick kernel upgrade on the type of machine you run SE Linux 

What I plan to do is to split out the checkpolicy program (the program that 
compiles the ASCII policy file into the database) into a separate package 
with a name based on it's version number.  Then it'll be possible to have 
multiple versions installed at the same time.  As this program depends on 
both the kernel source package and the selinux-small source package in a 
version-dependant fashion it will be impossible to have multiple versions be 
buildable by auto-builders.  I plan to keep packages of old versions of the 
checkpolicy package for i386 on my web site.

If anyone has a better solution to this then please make suggestions.

PS  For the Debian people who are getting a bad opinion about SE Linux, most 
of the strange stuff I discussed before (like diverting start-stop-daemon and 
hacking devfsd) was backed out long before I started uploading the packages 
to unstable.

If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: